Merge pull request #1702 from atom/enable-csp

initial attempt at CSP policy to see what breaks

package.json

@@ -30,6 +30,7 @@
     "mkdirp": "0.3.5",
     "keytar": "0.15.1",
     "less-cache": "0.12.0",
+    "loophole": "^0.3.0",
     "mixto": "1.x",
     "nslog": "0.5.0",
     "oniguruma": "1.x",
@@ -85,7 +86,7 @@
     "package-generator": "0.30.0",
     "release-notes": "0.26.0",
     "settings-view": "0.90.0",
-    "snippets": "0.35.0",
+    "snippets": "0.36.0",
     "spell-check": "0.28.0",
     "status-bar": "0.36.0",
     "styleguide": "0.26.0",

src/atom.coffee

@@ -11,6 +11,10 @@ _ = require 'underscore-plus'
 {Model} = require 'theorist'
 fs = require 'fs-plus'
 
+# this prevents CSP-related warnings for q's feature detection
+{allowUnsafeNewFunction} = require 'loophole'
+allowUnsafeNewFunction -> require 'q'
+
 {$} = require './space-pen-extensions'
 WindowEventHandler = require './window-event-handler'
 

src/key-binding.coffee

@@ -35,9 +35,10 @@ class KeyBinding
       try
         @parser = require './keystroke-pattern'
       catch
+        {allowUnsafeEval} = require 'loophole'
         keystrokePattern = fs.readFileSync(require.resolve('./keystroke-pattern.pegjs'), 'utf8')
         PEG = require 'pegjs'
-        @parser = PEG.buildParser(keystrokePattern)
+        allowUnsafeEval => @parser = PEG.buildParser(keystrokePattern)
 
     @parser.parse(keystroke)
 

static/index.html

@@ -3,39 +3,9 @@
 <head>
   <title></title>
 
-  <script>
-    window.onload = function() {
-      var path = require('path');
-      var ipc = require('ipc');
-      try {
-        // Skip "?loadSettings=".
-        var loadSettings = JSON.parse(decodeURIComponent(location.search.substr(14)));
+  <meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self'; style-src 'self' 'unsafe-inline';">
 
-        // Start the crash reporter before anything else.
-        require('crash-reporter').start({
-          productName: 'Atom',
-          companyName: 'GitHub',
-          // By explicitly passing the app version here, we could save the call
-          // of "require('remote').require('app').getVersion()".
-          extra: {_version: loadSettings.appVersion}
-        });
-
-        require('vm-compatibility-layer');
-        require('coffee-script').register();
-        require(path.resolve(__dirname, '..', 'src', 'coffee-cache')).register();
-        require(loadSettings.bootstrapScript);
-        ipc.sendChannel('window-command', 'window:loaded')
-      }
-      catch (error) {
-        var currentWindow = require('remote').getCurrentWindow();
-        currentWindow.setSize(800, 600);
-        currentWindow.center();
-        currentWindow.show();
-        currentWindow.openDevTools();
-        console.error(error.stack || error);
-      }
-    }
-  </script>
+  <script src="index.js"></script>
 </head>
 <body tabindex="-1">
 </body>

static/index.js

@@ -0,0 +1,31 @@
+window.onload = function() {
+  var path = require('path');
+  var ipc = require('ipc');
+  try {
+    // Skip "?loadSettings=".
+    var loadSettings = JSON.parse(decodeURIComponent(location.search.substr(14)));
+
+    // Start the crash reporter before anything else.
+    require('crash-reporter').start({
+      productName: 'Atom',
+      companyName: 'GitHub',
+      // By explicitly passing the app version here, we could save the call
+      // of "require('remote').require('app').getVersion()".
+      extra: {_version: loadSettings.appVersion}
+    });
+
+    require('vm-compatibility-layer');
+    require('coffee-script').register();
+    require(path.resolve(__dirname, '..', 'src', 'coffee-cache')).register();
+    require(loadSettings.bootstrapScript);
+    ipc.sendChannel('window-command', 'window:loaded')
+  }
+  catch (error) {
+    var currentWindow = require('remote').getCurrentWindow();
+    currentWindow.setSize(800, 600);
+    currentWindow.center();
+    currentWindow.show();
+    currentWindow.openDevTools();
+    console.error(error.stack || error);
+  }
+}