[security] Injected gitbook.page.hasChanged script is not CSP-compatible

[koczkatamas]

Gitbook should never use inline scripts (eg. <script>...inline script...</script> ) as this requires adding "unsafe-inline" to the Content-Security-Policy which in turn makes the common XSS case (the inline one) much more easily exploitable.

This is of course not a security vulnerability in Gitbook by itself, just Gitbook makes currently hard to implement CSP properly.

I don't know exactly how Gitbook works, but maybe replacing

<script>
        var gitbook = gitbook || [];
        gitbook.push(function() {
            gitbook.page.hasChanged({...json...});
        });
</script>

with

<script id="gitbook_page_info" type="text/json">
{...json...}
</script>

and the gitbook.js init code could automatically search for this tag (eg. document.getElementById("gitbook_page_info")), parse the JSON and call the page.hasChanged method.