From db1fc67a9f6fb3773c1b7735a63be52a160c307f Mon Sep 17 00:00:00 2001
From: Jaifroid <egk10@cam.ac.uk>
Date: Fri, 10 Mar 2023 11:46:58 +0000
Subject: [PATCH] Force-add CSP to document, to increase security

---
 www/js/app.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/www/js/app.js b/www/js/app.js
index 15238c8e..45cd8396 100644
--- a/www/js/app.js
+++ b/www/js/app.js
@@ -4751,10 +4751,10 @@ define(['jquery', 'zimArchiveLoader', 'uiUtil', 'util', 'utf8', 'cache', 'images
             //     });
             // }
 
-            // If there is no CSP, add one to prevent external scripts and content
-            if (!/<meta\b[^>]+Content-Security-Policy/i.test(htmlArticle)) {
+            // Add CSP to prevent external scripts and content - note that any existing CSP can only be hardened, not loosened
+            // if (!/<meta\b[^>]+Content-Security-Policy/i.test(htmlArticle)) {
                 htmlArticle = htmlArticle.replace(/(<head\b[^>]*>)\s*/, '$1\n    <meta http-equiv="Content-Security-Policy" content="default-src \'self\' data: blob: bingmaps: about: \'unsafe-inline\' \'unsafe-eval\';"></meta>\n    ');
-            }
+            // }
 
             // Maker return links
             uiUtil.makeReturnLink(dirEntry.getTitleOrUrl());