From 941d7a76e64fb2d6d7f0f91eafd20093866192f8 Mon Sep 17 00:00:00 2001
From: TantumErgo <9907196+TantumErgo@users.noreply.github.com>
Date: Fri, 6 Sep 2019 16:39:09 -0400
Subject: [PATCH] Added CSP to HTML code in oauth.service.ts

General:

HTML code is passed on lines 31-56. This code was without a CSP,
leaving it vulnerable. A strict CSP was added on lines 35-38.

Notes:

1. VS Code documentation, as well as other recommendations on CSP's,
use default-src 'none'. However, after reviewing the CSP's added in
Pull Request '#'1020, I followed the convention of
default-src vscode-resource. Make sure this is the level of security
wanted, rather than the more secure 'none'.

2. form-action and frame-ancestors are included because these two
directives do not automatically use the default-src permission of
the CSP and must be explicitly set.

3. img-src includes https: as recommended by VS Code documentation for
CSP's. I also included vscode-resource, but I did not include data:
because I don't understand why it's used in Pull Request '#'1020.
If you would like me to include data: let me know, and I will add it to
the CSP.

4. script-src and style-src have 'self' included, but if this is
redundant after specifying vscode-resource, let me know and I will
remove the 'self' value. By including 'self' it whitelists all scripts
and styles originating from the URL of the project website.

5. script-src and style-src also have 'unsafe-inline' included, as they
were included in the CSP's in Pull Request '#'1020, but it is
recommended that SHA-256 be used when possible instead. script-src
can use a SHA-256 hash of scripts, but I'm not sure if style-src can
as well. Regardless, I continued using 'unsafe-inline' to match the
other CSP's in the project, and because I didn't want to break any of
the project's current functions by using too strict of a CSP.
---
 src/service/github.oauth.service.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/service/github.oauth.service.ts b/src/service/github.oauth.service.ts
index 67b972c3..497ccf74 100644
--- a/src/service/github.oauth.service.ts
+++ b/src/service/github.oauth.service.ts
@@ -32,6 +32,10 @@ export class GitHubOAuthService {
         <html lang="en">
           <head>
             <meta charset="utf-8">
+            <meta 
+              http-equiv="Content-Security-Policy" 
+              content="default-src vscode-resource:; form-action vscode-resource:; frame-ancestors vscode-resource:; img-src vscode-resource: https:; script-src 'self' 'unsafe-inline' vscode-resource:; style-src 'self' 'unsafe-inline' vscode-resource:;"
+            />
             <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
           </head>
           <body>