From 42c9637d93772ba1c88c3b99bb5d9098ff158226 Mon Sep 17 00:00:00 2001
From: Axel Bocciarelli <axelboc@gmail.com>
Date: Tue, 14 May 2024 10:49:41 +0200
Subject: [PATCH] Clean-up and document CSP code

---
 src/H5WebViewer.ts | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/H5WebViewer.ts b/src/H5WebViewer.ts
index 287d377..babd3a9 100644
--- a/src/H5WebViewer.ts
+++ b/src/H5WebViewer.ts
@@ -112,11 +112,15 @@ export default class H5WebViewer
       )
     );
 
-    /*
-     * CSP policy:
-     * - `connect-src data:` allows download URLs generated by `getExportURL` when exporting datasets/slices
-     * - `script-src 'unsafe-eval` allows `eval()` because of `cwise` dependency in H5Web
-     */
+    const cspRules = [
+      "default-src 'none'", // strict by default
+      `connect-src ${cspSource} data:`, // `data:` for download URLs generated by `getExportURL` when exporting datasets/slices
+      `script-src ${cspSource} 'unsafe-eval'`, // 'unsafe-eval' because of cwise dependency in H5Web
+      `style-src ${cspSource}`,
+      'img-src blob:', // for JPEG/PNG images in Raw visualization
+      'worker-src blob:', // for H5WasmLocalFileProvider's inline worker
+    ];
+
     return `
 			<!DOCTYPE html>
 			<html lang="en">
@@ -124,7 +128,7 @@ export default class H5WebViewer
 				<meta charset="UTF-8">
 				<meta
           http-equiv="Content-Security-Policy"
-          content="default-src 'none'; connect-src ${cspSource} data:; script-src ${cspSource} 'unsafe-eval'; style-src ${cspSource}; img-src blob:; worker-src blob:;"
+          content="${cspRules.join('; ')};"
         >
 				<meta name="viewport" content="width=device-width, initial-scale=1.0">
 				<title>H5Web</title>