Merge pull request #42 from silx-kit/csp

Clean-up and document CSP code

src/H5WebViewer.ts

@@ -112,19 +112,23 @@ export default class H5WebViewer
       )
     );
 
-    /*
-     * CSP policy:
-     * - `connect-src data:` allows download URLs generated by `getExportURL` when exporting datasets/slices
-     * - `script-src 'unsafe-eval` allows `eval()` because of `cwise` dependency in H5Web
-     */
+    const cspRules = [
+      "default-src 'none'", // strict by default
+      `connect-src ${cspSource} data:`, // `data:` for download URLs generated by `getExportURL` when exporting datasets/slices
+      `script-src ${cspSource} 'unsafe-eval'`, // 'unsafe-eval' because of cwise dependency in H5Web
+      `style-src ${cspSource}`,
+      'img-src blob:', // for JPEG/PNG images in Raw visualization
+      'worker-src blob:', // for H5WasmLocalFileProvider's inline worker
+    ];
+
     return `
 			<!DOCTYPE html>
 			<html lang="en">
 			<head>
 				<meta charset="UTF-8">
 				<meta
           http-equiv="Content-Security-Policy"
-          content="default-src 'none'; connect-src ${cspSource} data:; script-src ${cspSource} 'unsafe-eval'; style-src ${cspSource}; img-src blob:; worker-src blob:;"
+          content="${cspRules.join('; ')};"
         >
 				<meta name="viewport" content="width=device-width, initial-scale=1.0">
 				<title>H5Web</title>