Move inline CSS to .css file, allow removing `unsafe-inline` for styles.
While investigating #138, I stumbled across a StackOverflow answer which discussed Content-Security-Policy
with regard to styles. It lead to an interesting talk XSS (No, the other 's' which discusses all the problems with CSS styles being injected into a site.
For F-Droid, this includes (off the top of my head):
- Completely defacing the site, tarnishing the reputation of F-Droid.
- Hijacking the donate links in the sidebar with their own phishing donation links.
We are not as much worried about people bypassing CSRF tokens or session identifiers, because the static site doesn't have any sessions or logins, and you can't perform any actions on it.
The fix for this is the same as #138, but for styles: Remove all inline styles, replacing them with styles in a proper stylesheet. This is probably good practice anyway, it is not often that styles need to be inline anyway (as with scripts).
Edited by Peter Serwylo