Lock down CSP in “.html” files to prove we can.

We want integrators to be able to enforce the strictest content security
policies possible — this change set places strict CSPs in our own
documents to keep us honest.

Author: theengineear

demo/chess/index.html

@@ -1,7 +1,8 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self';">
     <link rel="stylesheet" href="index.css">
     <script type="module" src="index.js"></script>
   </head>

demo/index.html

@@ -1,7 +1,8 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self';">
     <link rel="stylesheet" href="index.css">
     <script type="module" src="index.js"></script>
   </head>

demo/lit-html/demo-lit-html.js

@@ -1,6 +1,17 @@
 import BaseElement from './base-element.js';
 
 export default class DemoLitHtml extends BaseElement {
+  static get styles() {
+    const styleSheet = new CSSStyleSheet();
+    styleSheet.replaceSync(`
+      #container[emoji]::before {
+        content: " " attr(emoji);
+        font-size: 2rem;
+      }
+    `);
+    return [styleSheet];
+  }
+
   static get properties() {
     return {
       emoji: {
@@ -16,12 +27,6 @@ export default class DemoLitHtml extends BaseElement {
   static template(html, { ifDefined }) {
     return ({ emoji, message }) => {
       return html`
-        <style>
-          #container[emoji]::before {
-            content: " " attr(emoji);
-            font-size: 2rem;
-          }
-        </style>
         <div id="container" emoji="${ifDefined(emoji)}">Rendered &ldquo;${message}&rdquo; using <code>lit-html</code>.</div>
       `;
     };

demo/lit-html/index.html

@@ -1,7 +1,8 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-vpd4e6Q2EYlXOAcBOCPYNRqOSK1caV1iPamby7fBE30=' https://esm.sh/[email protected]/;">
     <script type="importmap">
       {
         "imports": {

demo/performance/default.html

@@ -1,7 +1,10 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <!-- We use “unsafe-eval” below because we need to trick the browser into
+         not caching tagged template string objects to test interpretation. -->
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'unsafe-eval';">
     <link rel="stylesheet" href="./index.css">
   </head>
   <body>

demo/performance/index.html

@@ -1,7 +1,8 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self';">
     <link rel="stylesheet" href="./index.css">
   </head>
   <body>

demo/performance/lit-html.html

@@ -1,7 +1,10 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <!-- We use “unsafe-eval” below because we need to trick the browser into
+          not caching tagged template string objects to test interpretation. -->
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'unsafe-eval' 'sha256-2gPcHEAV/bRWIxMnz3UA5z6w2m9RdFis8ZAa8Y/EZVg=' https://esm.sh/[email protected] https://esm.sh/[email protected]/;">
     <script type="importmap">
       {
         "imports": {

demo/performance/react.html

@@ -1,7 +1,12 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <!-- TODO: The react library has a bunch of dependencies which makes the CSP
+          unwieldy. Rather than enumerate them all, a blanket rule is encoded
+          below to allow any access to https://esm.sh/. You wouldn’t want to do
+          that on a production site, this is just for the demo. -->
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-HVRkfAW4ErWhOQ71jSlHDwiHtimNBYSzVw0wcuf6XwA=' https://esm.sh/;">
     <script type="importmap">
       {
         "imports": {

demo/performance/uhtml.html

@@ -1,7 +1,14 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <!-- TODO: The uhtml library has a bunch of dependencies which makes the CSP
+          unwieldy. Rather than enumerate them all, a blanket rule is encoded
+          below to allow any access to https://esm.sh/. You wouldn’t want to do
+          that on a production site, this is just for the demo. -->
+    <!-- We use “unsafe-eval” below because we need to trick the browser into
+          not caching tagged template string objects to test interpretation. -->
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'unsafe-eval' 'sha256-tqJYP2BfE6OLuQk1TacH2iYQga16y7fS413atm5uM9o=' https://esm.sh/;">
     <script type="importmap">
       {
         "imports": {

demo/react/index.html

@@ -1,7 +1,12 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <!-- TODO: The react library has a bunch of dependencies which makes the CSP
+          unwieldy. Rather than enumerate them all, a blanket rule is encoded
+          below to allow any access to https://esm.sh/. You wouldn’t want to do
+          that on a production site, this is just for the demo. -->
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-HVRkfAW4ErWhOQ71jSlHDwiHtimNBYSzVw0wcuf6XwA=' https://esm.sh/;">
     <script type="importmap">
       {
         "imports": {

demo/uhtml/demo-uhtml.js

@@ -1,6 +1,17 @@
 import BaseElement from './base-element.js';
 
 export default class DemoUhtml extends BaseElement {
+  static get styles() {
+    const styleSheet = new CSSStyleSheet();
+    styleSheet.replaceSync(`
+      #container[emoji]::before {
+        content: " " attr(emoji);
+        font-size: 2rem;
+      }
+    `);
+    return [styleSheet];
+  }
+
   static get properties() {
     return {
       emoji: {
@@ -16,12 +27,6 @@ export default class DemoUhtml extends BaseElement {
   static template(html) {
     return ({ emoji, message }) => {
       return html`
-        <style>
-          #container[emoji]::before {
-            content: " " attr(emoji);
-            font-size: 2rem;
-          }
-        </style>
         <div id="container" emoji="${emoji}">Rendered &ldquo;${message}&rdquo; using <code>µhtml</code>.</div>
       `;
     };

demo/uhtml/index.html

@@ -1,7 +1,12 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <!-- TODO: The uhtml library has a bunch of dependencies which makes the CSP
+          unwieldy. Rather than enumerate them all, a blanket rule is encoded
+          below to allow any access to https://esm.sh/. You wouldn’t want to do
+          that on a production site, this is just for the demo. -->
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-tqJYP2BfE6OLuQk1TacH2iYQga16y7fS413atm5uM9o=' https://esm.sh/;">
     <script type="importmap">
       {
         "imports": {

index.html

@@ -1,7 +1,8 @@
 <!doctype html>
 <html>
   <head>
-    <meta charset="UTF-8">
+    <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self';">
     <meta http-equiv="refresh" content="0; url=/demo">
   </head>
   <body></body>

test/index.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-analysis-errors.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-attribute-changed-errors.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-basic-properties.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-computed-properties.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-default-properties.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-element-upgrade.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-initial-properties.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-initialization-errors.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-internal-properties.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-listeners.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-observed-properties.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>

test/test-parser.html

@@ -2,8 +2,13 @@
 <html>
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="content-security-policy" content="default-src 'self'; script-src 'self' 'sha256-RVXBMfHRdgc8777jps6ngyVOY4g0I7LMQ7IUzGv2lbA=';">
     <script type="importmap">
-      { "imports": { "@netflix/x-test/": "../node_modules/@netflix/x-test/" } }
+      {
+        "imports": {
+          "@netflix/x-test/": "../node_modules/@netflix/x-test/"
+        }
+      }
     </script>
   </head>
   <body>