[WIP] Add a Content Security Policy to our docs

[chandlerprall]

Summary

Relates to #1431 . This adds a Content Security Policy to the EUI docs for testing our compatibility against a strict setup.

@alexbrasetvik is this policy strict enough for testing with?

default-src 'self'
style-src 'nonce-bmV0c3BhcmtlciBydWxlcyA7KQ==' https://fonts.googleapis.com https://rsms.me/inter/inter-ui.css
font-src https://fonts.gstatic.com https://rsms.me

• The nonce is for our docs' dynamic loading of CSS, the loader injects via <style> tags - this is otherwise handled by a consuming application (Cloud, Kibana).
• fonts.googleapis.com / fonts.gstatic.com enables Open Sans font
• https://rsms.me_ / https://rsms.me enables InterUI font

remaining work

• There are a handful of components that use style attributes, this fails the no-inline-style policy and need to be updated. React, since v15, already applies styles through the JS DOM API
• react-ace / brace / ace editor injects style elements into the DOM

[kobelb]

CSP directive looks good!

[kobelb]

@epixa as you've been working through enabling CSP in Kibana, have you had a chance to determine the feasibility of us getting rid of style's 'unsafe-inline', is this something we should be removing from EUI preventatively?

[epixa]

I think we can get rid of unsafe-inline, and EUI should definitely be proactive about removing it.

[markov00]

Please, take a look also at the EUIColorPicker that can break the CSP security

[chandlerprall]

Please, take a look also at the EUIColorPicker that can break the CSP security

@snide what do we want to do with the color picker?

[snide]

what do we want to do with the color picker?

Make our own. Deprecate the old one. I think we should start simple with a limited swatch selector and something that works with custom hex code. I don't think we really need the color selector stuff and its a bit of overkill (@cchaos?).

If people agree with that premise, my old PR solved that, assuming i can get it running again.

[thompsongl]

EuiColorPicker is no longer a CSP blocker 🎉

[epixa]

What’s the current status here?

[chandlerprall]

@epixa on hold; we've addressed all of the known issues apart from EuiCode's reliance on brace (additional discussion on that in #1710). Planning on picking this back up at the start of the new year, as we haven't heard it being a prioritized item from Kibana or Cloud (beyond spot-checking a few specific things).

[chandlerprall]

Closing this; finishing the CSP work is a big TODO for early 2020, will open a new PR on this when additional items have been addressed.