mirror of
https://github.com/NanmiCoder/cc-haha
synced 2026-07-17 13:13:35 +08:00
fix(desktop): add a conservative Content-Security-Policy
Adds a CSP meta tag that hardens default-src/object-src/base-uri while keeping script/style 'unsafe-inline'+'unsafe-eval' (Emotion CSS-in-JS injects runtime <style> tags, the startup watchdog is inline, shiki/mermaid/Vite use eval) and a permissive connect-src (localhost sidecar + ws + https) so renderer fetches and dev HMR keep working. Needs a runtime smoke on dev + packaged builds before any tightening. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
7a882d1858
commit
7e1e1b4ae6
@ -2,6 +2,18 @@
|
||||
<html lang="zh-CN" data-theme="white">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<!--
|
||||
Conservative CSP: hardens default/object/base-uri without breaking the app.
|
||||
script/style keep 'unsafe-inline' + 'unsafe-eval' on purpose - Emotion CSS-in-JS
|
||||
injects runtime <style> tags, the startup watchdog below is inline, and shiki/
|
||||
mermaid/Vite rely on eval. connect-src stays permissive (localhost sidecar + ws +
|
||||
https) so renderer fetches and dev HMR keep working. Tighten only after verifying
|
||||
on a packaged build.
|
||||
-->
|
||||
<meta
|
||||
http-equiv="Content-Security-Policy"
|
||||
content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data: blob: https: http://127.0.0.1:* http://localhost:*; connect-src 'self' https: http://127.0.0.1:* http://localhost:* ws://127.0.0.1:* ws://localhost:*; worker-src 'self' blob:; object-src 'none'; base-uri 'self'"
|
||||
/>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>Claude Code Companion</title>
|
||||
<!-- Fonts are self-hosted in /fonts/ and declared via @font-face in globals.css -->
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user