enso/app/gui/index.html

<!doctype html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link
      rel="stylesheet"
      type="text/css"
      crossorigin
      href="https://api.mapbox.com/mapbox-gl-js/v2.1.1/mapbox-gl.css"
    />
    <!-- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP -->
    <!-- FIXME https://github.com/validator/validator/issues/917 -->
    <!-- FIXME Security Vulnerabilities: https://github.com/enso-org/ide/issues/226 -->
    <!-- NOTE `frame-src` section of `http-equiv` required only for authorization -->
    <!-- NOTE [NP]: https://stripe.com/docs/security/guide#content-security-policy for Stripe.js -->
    <meta
      http-equiv="Content-Security-Policy"
      content="
            default-src     'self';
            frame-src       'self' data: https://js.stripe.com;
            script-src      'self' 'unsafe-eval' data: https://*;
            script-src-elem 'self' 'unsafe-inline' https://*;
            style-src       'self' 'unsafe-inline' data: https://*;
            connect-src     'self' data: ws://localhost:* ws://127.0.0.1:* http://localhost:* https://* wss://*;
            worker-src      'self' blob:;
            img-src         'self' blob: enso: data: https://*;
            font-src        'self' data: https://*"
    />
    <meta
      name="viewport"
      content="
            width=device-width,
            initial-scale = 1.0,
            maximum-scale = 1.0,
            user-scalable = no"
    />
    <title>Enso %ENSO_IDE_VERSION%</title>
  </head>
  <body>
    <div id="enso-spotlight" class="enso-spotlight"></div>
    <div id="enso-dashboard" class="enso-dashboard"></div>
    <div id="enso-chat" class="enso-chat"></div>
    <div id="enso-portal-root" class="enso-portal-root"></div>
    <script type="module" src="/src/entrypoint.ts"></script>
    <noscript> This page requires JavaScript to run. Please enable it in your browser. </noscript>
  </body>
</html>