From b3c51537d5be3a9523170df85423a19393b7b833 Mon Sep 17 00:00:00 2001
From: Michael Czechowski <mail@dailysh.it>
Date: Sat, 28 Mar 2026 17:01:32 +0100
Subject: [PATCH] fix(security): add Content-Security-Policy meta tag

Restricts script sources to self and known CDNs, connect sources to
self and Supabase, blocks unauthorized resource loading. Allows
unsafe-inline for styles (CodeMirror requirement) and blob: for
sandboxed preview iframes.

Addresses SEC-5 (HIGH) from security audit.
---
 src/index.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/index.html b/src/index.html
index 2e6ccde..93e5341 100644
--- a/src/index.html
+++ b/src/index.html
@@ -4,6 +4,7 @@
 		<meta charset="UTF-8" />
 		<link rel="icon" href="./favicon.ico" type="image/x-icon" />
 		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+		<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' https://librete.ch https://liberapay.com; style-src 'self' 'unsafe-inline'; connect-src 'self' https://*.supabase.co wss://*.supabase.co; img-src 'self' https://liberapay.com data:; font-src 'self'; frame-src 'self' blob:" />
 
 		<!-- Primary Meta Tags -->
 		<title>CODE CRISPIES - Learn HTML & CSS Interactively | Free Coding Practice</title>