Open
Description
The current Content Security Policy is pretty good, but we can do better:
- Properly restrict JS/CSS sources to
https://when the site itself is served over HTTPS - Forbid inline JS
- Forbid
eval()'d JS (this will be tricky due to the way Jade is done clientside - we'll probably just have to find another option)