fix(desktop): add a conservative Content-Security-Policy

Adds a CSP meta tag that hardens default-src/object-src/base-uri while keeping
script/style 'unsafe-inline'+'unsafe-eval' (Emotion CSS-in-JS injects runtime
<style> tags, the startup watchdog is inline, shiki/mermaid/Vite use eval) and a
permissive connect-src (localhost sidecar + ws + https) so renderer fetches and
dev HMR keep working. Needs a runtime smoke on dev + packaged builds before any
tightening.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
程序员阿江(Relakkes) 2026-06-03 14:07:29 +08:00
parent 7a882d1858
commit 7e1e1b4ae6

View File

@ -2,6 +2,18 @@
<html lang="zh-CN" data-theme="white">
<head>
<meta charset="UTF-8" />
<!--
Conservative CSP: hardens default/object/base-uri without breaking the app.
script/style keep 'unsafe-inline' + 'unsafe-eval' on purpose - Emotion CSS-in-JS
injects runtime <style> tags, the startup watchdog below is inline, and shiki/
mermaid/Vite rely on eval. connect-src stays permissive (localhost sidecar + ws +
https) so renderer fetches and dev HMR keep working. Tighten only after verifying
on a packaged build.
-->
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data: blob: https: http://127.0.0.1:* http://localhost:*; connect-src 'self' https: http://127.0.0.1:* http://localhost:* ws://127.0.0.1:* ws://localhost:*; worker-src 'self' blob:; object-src 'none'; base-uri 'self'"
/>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Claude Code Companion</title>
<!-- Fonts are self-hosted in /fonts/ and declared via @font-face in globals.css -->