Hartmut d1075af77d security: tighten CSP — drop provider wildcards, add object/frame/worker-src (#45) ...

Browser code never calls OpenAI/Azure/Gemini directly; all AI traffic is
server-side tRPC. connect-src is now locked to 'self'. Added object-src 'none',
frame-src 'none', media-src 'self', and worker-src 'self' blob:. style-src
keeps 'unsafe-inline' for React + @react-pdf/renderer (documented residual
risk — script-src is nonce-based so CSS injection cannot escalate to JS).

Added three regression tests covering connect-src no-wildcards, object/frame-src
'none', and worker-src scope.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-17 09:08:40 +02:00

..

web

security: tighten CSP — drop provider wildcards, add object/frame/worker-src (#45)

2026-04-17 09:08:40 +02:00