Make DotVVM CSP compliant

[djanosik]

As of now every DotVVM application uses inline scripts and unsafe functions like new Function(...), eval(...), setTimeout(string), etc. It means you need to specify unsafe-inline and unsafe-eval options when you want to use CSP header to make your application secure.

This makes CSP practically useless and we should think about how to use DotVVM along with CSP restrictions.

I suggest to:

• remove all inline scripts (how to handle templates?),
• remove all inline event handlers, onclick, etc. (we will need to modify all controls),
• make sure our knockout expressions work with tko.provider.

[exyi]

I think we could use the in the script-src header to get rid of unsafe-inline and do it completely automatically using the resource system. The unsafe-eval condition is unfortunately not relaxed, but we could at least modify knockout.js to check hashes of the evaluated before evaluating them so that data-bind injection would not work.

The second step could be made with the VDOM upgrade #383, maybe it will be possible to eliminate the unsafe-eval condition and render all bindings in a render script.

[exyi]

Btw, nice post "why would you want CSP" - https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5. Although it's not a perfect protection, it may help a lot.

[exyi]

https://content-security-policy.com/strict-dynamic/

With strict-dynamic in CSP 3 we might be actually able to finally implement it. This would solve the problem of loading new scripts / knockout expressions after a postback