MC-01-003: Add CSP to Meta Tag (#2019)

* add meta content security policy

* inject meta csp based on production status

* use correct var

* rollback devtoll modification

common/index.html

@@ -4,6 +4,7 @@
 <head>
   <meta charset="utf-8">
   <title>MyCrypto</title>
+  <meta http-equiv="Content-Security-Policy" content="<%= htmlWebpackPlugin.options.metaCsp %>" >
   <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
   <meta name="description" content="MyCrypto is a free, open-source interface for interacting with the blockchain.">
   <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0">

webpack_config/makeConfig.js

@@ -166,7 +166,10 @@ module.exports = function(opts = {}) {
       twitter: {
         site: config.twitter.creator,
         creator: config.twitter.creator
-      }
+      },
+      metaCsp: options.isProduction 
+        ? "default-src 'none'; script-src 'self'; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; manifest-src 'self'; font-src 'self'; img-src 'self' data: https://shapeshift.io; connect-src *;"
+        :  ""
     }),
 
     new CopyWebpackPlugin([