refactor: use iframes for gist embedding instead of gist-embed

The used library gist-embed relies on GitHub Gist's JSONP
endpoint which is a risk for XSS injection. By adding untrusted
content from GitHub into the DOM it also follows very bad
practises. Using the iframe embedding has the disadvantage of
not having the proper height for the frame auto-loaded, but
the security benefits are worth it.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>

lib/csp.js

@@ -10,18 +10,17 @@ const defaultDirectives = {
   connectSrc: ['\'self\'', buildDomainOriginWithProtocol(config, 'ws')],
   fontSrc: ['\'self\''],
   manifestSrc: ['\'self\''],
-  frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
+  frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com', 'https://gist.github.com'],
   imgSrc: ['*', 'data:'], // we allow using arbitrary images & explicit data for mermaid
   scriptSrc: [
     config.serverURL + '/build/',
     config.serverURL + '/js/',
     config.serverURL + '/config',
-    'https://gist.github.com/',
     'https://vimeo.com/api/oembed.json',
     'https://www.slideshare.net/api/oembed/2',
     '\'unsafe-inline\'' // this is ignored by browsers supporting nonces/hashes
   ],
-  styleSrc: [config.serverURL + '/build/', config.serverURL + '/css/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
+  styleSrc: [config.serverURL + '/build/', config.serverURL + '/css/', '\'unsafe-inline\''], // unsafe-inline is required for some libs, plus used in views
   objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
   formAction: ['\'self\''],
   mediaSrc: ['*']