WIP(csp): used blankie to set an initial CSP

set to report-only to work through the initial kinks for #918

lib/server/manifest.js

@@ -10,6 +10,27 @@ export default {
   server: {connections: {routes: {security: true}}},
   connections: [{port}],
   registrations: [
+    {plugin: 'scooter'},
+    {
+      plugin: {
+        register: 'blankie',
+        options: {
+          reportOnly: true,
+          reportUri: 'https://travi.report-uri.io/r/default/csp/reportOnly',
+          styleSrc: [
+            'self',
+            'fonts.googleapis.com'
+          ],
+          scriptSrc: [
+            'self',
+            'cdn.polyfill.io www.google-analytics.com'
+          ],
+          fontSrc: [
+            'fonts.gstatic.com'
+          ]
+        }
+      }
+    },
     {plugin: 'inert'},
     {plugin: 'vision'},
     {plugin: 'h2o2'},
@@ -26,9 +47,7 @@ export default {
       plugin: {
         register: 'good',
         options: {
-          ops: {
-            interval: 1000
-          },
+          ops: false,
           reporters: {
             console: [
               {

package.json

@@ -119,6 +119,7 @@
     "@travi/ioc": "1.0.0",
     "@travi/redux-fetch-middleware": "1.0.3",
     "async": "2.1.4",
+    "blankie": "2.0.0",
     "boom": "4.2.0",
     "glue": "4.1.0",
     "good": "7.1.0",
@@ -145,6 +146,7 @@
     "redial": "0.5.0",
     "redux": "3.6.0",
     "redux-immutable": "3.0.11",
+    "scooter": "4.0.0",
     "serialize-javascript": "1.3.0",
     "snyk": "1.24.5",
     "stampit": "3.1.2",