Skip to content

platform: Tighten Content Security Policy #1224

Description

@jeromehardaway

Intent

Tighter CSP: script-src currently allows unsafe-inline and unsafe-eval.

Scope

  • Remove unsafe-eval (and unsafe-inline where feasible) using nonces/hashes.
  • Verify third-party embeds (Donorbox, Shopify, Cloudinary) still work; document any exceptions.

Acceptance criteria

  • CSP without unsafe-eval; unsafe-inline removed where possible
  • Embeds functional
  • Exceptions documented

Touches: Cross-cutting.

Metadata

Metadata

Assignees

No one assigned

    Labels

    epic:platformCross-cutting: CI, tests, security, observabilitysecuritySecurity vulnerability or hardening work

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions