add content policy and make wasabi use https

3 files changed, 12 insertions, 1 deletions

diff --git a/webAO/client.html b/webAO/client.html
index 4637d69..ee18cbd 100644
--- a/webAO/client.html
+++ b/webAO/client.html
@@ -5,6 +5,12 @@
 	<title>Attorney Online session</title>
 	<meta charset="utf-8">
 	<meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+	<meta http-equiv="Content-Security-Policy"      content="default-src 'self' 'unsafe-inline' 'unsafe-eval' file: data: ws: *.aceattorneyonline.com https://s3.wasabisys.com https://webao.animatedchatroom.net https://golden-layout.com https://ajax.googleapis.com;">
+    <meta http-equiv="X-Content-Security-Policy"    content="default-src 'self' 'unsafe-inline' 'unsafe-eval' file: data: ws: *.aceattorneyonline.com https://s3.wasabisys.com https://webao.animatedchatroom.net https://golden-layout.com https://ajax.googleapis.com;">
+    <meta http-equiv="X-WebKit-CSP"                 content="default-src 'self' 'unsafe-inline' 'unsafe-eval' file: data: ws: *.aceattorneyonline.com https://s3.wasabisys.com https://webao.animatedchatroom.net https://golden-layout.com https://ajax.googleapis.com;">
+
+
 	<link rel="stylesheet" type="text/css" href="styles/client.css?v=1.0.0" id="client_stylesheet">
 	<link rel="stylesheet" type="text/css" href="styles/default.css?v=1.0.0" id="client_theme">
 	<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
diff --git a/webAO/client.js b/webAO/client.js
index e55accd..8251ca3 100644
--- a/webAO/client.js
+++ b/webAO/client.js
@@ -28,7 +28,7 @@ const serverIP = queryDict.ip;
 let mode = queryDict.mode;
 
 // Unless there is an asset URL specified, use the wasabi one
-const DEFAULT_HOST = location.hostname ? "http://s3.wasabisys.com/webao/base/" : "base/";
+const DEFAULT_HOST = location.hostname ? "https://s3.wasabisys.com/webao/base/" : "base/";
 const AO_HOST = queryDict.asset || DEFAULT_HOST;
 const THEME = queryDict.theme || "default";
 const MUSIC_HOST = AO_HOST + "sounds/music/";
diff --git a/webAO/index.html b/webAO/index.html
index fca9173..e4e4c9e 100644
--- a/webAO/index.html
+++ b/webAO/index.html
@@ -6,6 +6,11 @@
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
     <meta name="description" content="">
     <meta name="author" content="">
+
+    <meta http-equiv="Content-Security-Policy"      content="default-src 'self' 'unsafe-inline' 'unsafe-eval' *.aceattorneyonline.com; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' ws:;">
+    <meta http-equiv="X-Content-Security-Policy"    content="default-src 'self' 'unsafe-inline' 'unsafe-eval' *.aceattorneyonline.com; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' ws:;">
+    <meta http-equiv="X-WebKit-CSP"                 content="default-src 'self' 'unsafe-inline' 'unsafe-eval' *.aceattorneyonline.com; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' ws:;">
+
     <link href="https://fonts.googleapis.com/css?family=Poiret+One" rel="stylesheet">
     <link href="https://fonts.googleapis.com/css?family=Oswald%7CRoboto+Condensed" rel="stylesheet">
     <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">