WEBUI-1446: CSP headers without the insecure unsafe-inline directive

plugin/web-ui/addon/src/main/resources/OSGI-INF/web-ui-properties.xml

@@ -36,6 +36,8 @@
     <!-- S3 Direct upload -->
     <property name="org.nuxeo.web.ui.s3.useDirectUpload">${nuxeo.s3storage.useDirectUpload:=false}</property>
 
+    <property name="org.nuxeo.web.ui.expressions.eval">false</property>
+
     <!-- Redirect to final download url -->
     <property name="org.nuxeo.web.ui.url.followRedirect">${org.nuxeo.download.url.follow.redirect:=false}</property>
 

plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/config.jsp

@@ -29,6 +29,8 @@
 var Nuxeo = Nuxeo || {};
 Nuxeo.UI = Nuxeo.UI || {};
 Nuxeo.UI.config = <%= cs.getPropertiesAsJson("org.nuxeo.web.ui") %>;
+Nuxeo.UI.config.expressions = Nuxeo.UI.config.expressions || {};
+Nuxeo.UI.config.expressions.eval = false;
 Nuxeo.UI.bundles = [
   <% for (Resource resource : wrm.getResources(new ResourceContextImpl(), "web-ui", "import")) { %>
   '<%= context %><%= resource.getURI() %>',

plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/index.jsp

@@ -78,6 +78,9 @@ limitations under the License.
   <meta name="msapplication-TileImage" content="images/touch/ms-touch-icon-144x144-precomposed.png">
 
   <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" />
+
+  <!-- Content security policy (needs Nuxeo.UI.config.expressions.eval = false) -->
+  <meta http-equiv="Content-Security-Policy" content="img-src data: blob: *; default-src blob: *; script-src data: * 'nonce-dummy'; style-src 'unsafe-inline' *; font-src data: *"/>
 
   <style>
     <%@include file="index.css"%>