Merge pull request #25 from OpenLMIS/OIS-50-dynamic-csp-fix

OIS-50: dynamic CSP adding works

src/index.html

@@ -16,11 +16,6 @@
 <html lang="@@DEFAULT_LANGUAGE" ng-app="openlmis" manifest="manifest.appcache" xmlns="http://www.w3.org/1999/html">
     <head>
         <meta charset="utf-8">
-        <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' https://superset-uat.openlmis.org;
-               img-src 'self' www.google-analytics.com;
-               script-src 'self' www.google-analytics.com 'unsafe-inline';
-               connect-src 'self' www.google-analytics.com https://superset-uat.openlmis.org;
-               frame-src 'self' https://superset-uat.openlmis.org;" />
         <meta http-equiv="X-Content-Type-Options" content="nosniff" />
         <meta http-equiv="Referrer-Policy" content="no-referrer" />
         <meta http-equiv="Permissions-Policy" content="geolocation=(), microphone=()" />

src/openlmis-home/csp-generate.run.js

@@ -34,10 +34,10 @@
             }
 
             var cspHeader = 'default-src \'self\' \'unsafe-inline\' ' + SUPERSET_URL + ';\n' +
-                              'img-src \'self\' ' + GOOGLE_ANALYTICS_URL + ';\n' +
-                              'script-src \'self\' \'unsafe-inline\' ' + GOOGLE_ANALYTICS_URL + ';\n' +
-                              'connect-src \'self\' ' + GOOGLE_ANALYTICS_URL + ' ' + SUPERSET_URL + ';\n' +
-                              'frame-src \'self\'' + SUPERSET_URL + ';';
+                'img-src \'self\' ' + GOOGLE_ANALYTICS_URL + ';\n' +
+                'script-src \'self\' ' + GOOGLE_ANALYTICS_URL + ' \'unsafe-inline\' \'unsafe-eval\';\n' +
+                'connect-src \'self\' ' + GOOGLE_ANALYTICS_URL + ' ' + SUPERSET_URL + ';\n' +
+                'frame-src \'self\'' + SUPERSET_URL + ';';
 
             return cspHeader;
         }