Feat/csp check

[gweiying]

This PR introduces utilities to check editor markdown content for unsupported elements in EditPage, resolving #179.

Implementation

At a high level, this is done by first retrieving and parsing the netlify.toml file from the website repo to extract the CSP for the repo. The user-edited markdown content is compiled into html, and inspected for any elements that violate the CSP. The violating elements are replaced with an error message, and the Save button is disabled until the user resolves the error message. An example of this is shown in the screenshot below.

Details

The CSP of a website specifies accepted sources for scripts on the website. Only scripts received from domains specified in the respective fetch directives can executed on the website. Currently, only 5 fetch directives and their fallbacks are supported in our CSP checking, frame-src, img-src, script-elem-src, object-src, media-src.

For each fetch directives, the types of html elements restricted are as follows:

• frame-src: frame, iframe
• img-src: img
• media-src: audio, video, track
• object-src: object, embed, applet
• script-src-elem: script

For example, with a media-src policy of 'none', <audio src="animal.mp3" controls></audio> will be considered a violating element.

If the frame-src is not specified, the checker falls back to the child-src policy value (link1 [link2])(http://csplite.com/csp/test121/), and defaults to default-src if child-src is not specified either. Similarly, if script-src-elem is not specified, script-src-elem falls back to script-src and defaults to default-src if script-src is not specified. All other fetch directives default automatically to default-src if not specified.

[kwajiehao]

this is very well-researched and i like how the functions are broken down, it was very easy to read. left comments and will follow-up offline

[kwajiehao]

lgtm