feat(mdviewer): add Content-Security-Policy to block injected scripts

abose · abose · commit b0db69debde1 · 2026-04-05T08:47:56.000+05:30
Add CSP meta tag to md viewer iframe HTML:
- script-src 'self': blocks inline scripts and external script URLs
  from markdown content, only allows the bundled mdviewer JS
- connect-src 'self': blocks fetch/XHR to external URLs, preventing
  data exfiltration even if a script somehow executes
- img-src allows external URLs (needed for markdown images)
- style-src allows self + unsafe-inline (needed for element positioning)

Combined with the existing iframe sandbox (no allow-same-origin),
this provides defense-in-depth against malicious markdown content.
diff --git a/src-mdviewer/index.html b/src-mdviewer/index.html
@@ -4,6 +4,13 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta name="color-scheme" content="light dark" />
+    <meta http-equiv="Content-Security-Policy"
+          content="default-src 'self';
+                   script-src 'self';
+                   style-src 'self' 'unsafe-inline';
+                   img-src 'self' blob: data: phtauri: https: http:;
+                   font-src 'self' data:;
+                   connect-src 'self';" />
     <script type="module" src="/src/embedded-main.js"></script>
 </head>
 <body>
