make the web ui more to chrome's liking

chrome does not like setting innerHTML, because it might be vulnerable to injection, but since we don't add user controlled data, we're fine require-trusted-types-for 'script'; trusted-types default; needs adding to Content-Security-Policty, see: https://stackoverflow.com/questions/62810553
jtgrassie · Mar 18, 2021 · 69aa145 · 69aa145
1 parent db9a1a2
commit 69aa145
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/webui-embed.html b/src/webui-embed.html
@@ -1,5 +1,12 @@
 <!doctype html>
 <html>
+    <script>
+        if (window.trustedTypes && window.trustedTypes.createPolicy) {
+            window.trustedTypes.createPolicy('default', {
+                createHTML: (string, sink) => string
+            });
+        }
+    </script>
     <head>
         <title>monero-pool</title>
         <meta charset="utf-8">