From 6bba7fbe475a6e0018c93463ae84a8bc0b09ca06 Mon Sep 17 00:00:00 2001
From: Jaifroid <egk10@cam.ac.uk>
Date: Tue, 15 Jun 2021 09:13:37 +0100
Subject: [PATCH] Add CSP to pages if one is not defined

Former-commit-id: de0a7c26598d56c1a03b6a722c783c0bbd91fa7f [formerly 93406bd67563282329b51851a52955c68821e3b2] [formerly 11506e62547aeddfee3ede757b5cf8e86256f0dc] [formerly 88d8cd53611bbd3db74cfb8b4566ce9186f3fcae [formerly 506fdafc7ed4026c0d642f73f134e5a6bcc98c41 [formerly 6117afc25e75940950baf1d31f17249c3c6874f4]]]
Former-commit-id: 52cb8c2904d7b3ea601d7a99a5b89e0ff7840898 [formerly f042c4c2f4b91f5774e81ea219c36711c8541392 [formerly 4a0d2afea15662725cc2a1a0cd4b9c45c89097f6]]
Former-commit-id: c0db3586d17131d4ab08e0c59b4df3d08c03ab08 [formerly 9df788e441d1a52ac81db6bae8b7c21d6f19cbab]
Former-commit-id: 7adf6d6b5b0e3f8e1e445f961fccd9ae6a0bf0cb
---
 www/js/app.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/www/js/app.js b/www/js/app.js
index 18d85cff..14103fc2 100644
--- a/www/js/app.js
+++ b/www/js/app.js
@@ -3555,6 +3555,11 @@ define(['jquery', 'zimArchiveLoader', 'uiUtil', 'util', 'cache', 'images', 'sett
                 return match + '\r\n<a href=\"#' + fnReturnID + '">^&nbsp;</a>';
             });
 
+            // If there is no CSP, add one to prevent external scripts and content
+            if (!/<meta\b[^>]+Content-Security-Policy/i.test(htmlArticle)) {
+                htmlArticle = htmlArticle.replace(/(\s*<\/head>)/, '\n    <meta http-equiv="Content-Security-Policy" content="default-src \'self\' data: blob: \'unsafe-inline\' \'unsafe-eval\';"></meta>$1');
+            }
+
             //Preload stylesheets [kiwix-js #149]
             //Set up blobArray of promises
             var prefix = (window.location.protocol + '//' + window.location.host + window.location.pathname).replace(/\/[^/]*$/, '');