-
Notifications
You must be signed in to change notification settings - Fork 468
Expand file tree
/
Copy pathindex.html
More file actions
52 lines (40 loc) · 2.54 KB
/
index.html
File metadata and controls
52 lines (40 loc) · 2.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<!DOCTYPE html>
<!-- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
<html>
<head>
<meta charset="utf-8">
<script nonce="{{nonce}}">
window.__webpack_nonce__ = "{{nonce}}";
window.__plotly_nonce__ = "{{nonce}}";
// console.log("This script runs because it has the correct nonce.");
</script>
<base id="base" href="SUBDIR" target="_blank">
<link rel="icon" type="image/png" href="favicon.ico">
<title>Open Energy Dashboard</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" nonce="{{nonce}}">
<!--
The meta tag with "Content-Security-Policy" below is the Content Security Policy, by having default-src as self all CSP rules that are
unspecified will only allow the OED site and resources to be used/displayed. Tags like img-src, media-src, and script-src are also set to self
to ensure that only resources like images, audio/videos, and scripts like JavaScript and TypeScript can only be from OED and will block any
types of injections. The tag font-src is the exception to this as OED also uses a font from a bootstrapcdn.com sub-domain and has this site
listed next to 'self'. To test CSP rules change http-equiv=”Content-Security-Policy” to http-equiv=”Content-Security-Policy-Report-Only” this
allows us to send reports of what would have been blocked without actually blocking it.
For sites using OED and are blocked by these CSP rules may add their site to the exception they may list their website link next to the tag that
is blocking the user site. The site link must be added after 'self' but before the semi colon marking the end of that tag. The font-src tag is a
great example on how to implement a site to the exception list. Another example for adding a site (https://newException.com) to a tag with
multiple sites as an exceptions would be : img-src 'self' http://example.com https://site_example.net; becomes img-src 'self'
http://example.com https://site_example.net https://newException.com;
-->
</head>
<body>
<div id="root"></div>
<script src="app/bundle.js" nonce="{{nonce}}">
</script>
<noscript>
<h1>OED requires JavaScript to run correctly. Please enable JavaScript.</h1>
</noscript>
</body>
</html>