make the web ui more to chrome's liking

chrome does not like setting innerHTML, because it might be vulnerable to injection, but since we don't add user controlled data, we're fine require-trusted-types-for 'script'; trusted-types default; needs adding to Content-Security-Policty, see: https://stackoverflow.com/questions/62810553
jtgrassie · Mar 18, 2021 · d5dff5d · d5dff5d
1 parent ed4770a
commit d5dff5d
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/webui-embed.html b/src/webui-embed.html
@@ -1,5 +1,12 @@
 <!doctype html>
 <html>
+    <script>
+        if (window.trustedTypes && window.trustedTypes.createPolicy) {
+            window.trustedTypes.createPolicy('default', {
+                createHTML: (string, sink) => string
+            });
+        }
+    </script>
     <head>
         <title>monero-pool</title>
         <meta charset="utf-8">