public/code-crispies
2
1
Fork 0
Code Issues Pull Requests Actions Activity

fix(security): add Content-Security-Policy meta tag

Browse Source 
Restricts script sources to self and known CDNs, connect sources to
self and Supabase, blocks unauthorized resource loading. Allows
unsafe-inline for styles (CodeMirror requirement) and blob: for
sandboxed preview iframes.

Addresses SEC-5 (HIGH) from security audit.
This commit is contained in:
Michael Czechowski
2026-03-28 17:01:32 +01:00
parent 743060f71b
commit b3c51537d5
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/index.html
View File

@@ -4,6 +4,7 @@
<meta charset="UTF-8" />
<link rel="icon" href="./favicon.ico" type="image/x-icon" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' https://librete.ch https://liberapay.com; style-src 'self' 'unsafe-inline'; connect-src 'self' https://*.supabase.co wss://*.supabase.co; img-src 'self' https://liberapay.com data:; font-src 'self'; frame-src 'self' blob:" />
<!-- Primary Meta Tags -->
<title>CODE CRISPIES - Learn HTML & CSS Interactively | Free Coding Practice</title>