You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(security): add Content-Security-Policy in report-only mode
Configure kit.csp (mode auto) so SvelteKit nonces its own scripts and
script-src can stay free of 'unsafe-inline'. style-src keeps 'unsafe-inline'
for the preview's dynamic inline style attributes. Allowlist covers Google
Fonts, GA, Tally, and the example-previews CDN.
Move the GA gtag bootstrap out of app.html into bundled JS
(deferThirdPartyScripts) so the page ships no inline script. Add a
/api/csp-report endpoint that logs violations while running report-only.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0 commit comments