Skip to content

feat(security): add Content-Security-Policy#6

Merged
dani-polani merged 3 commits into
mainfrom
feat/csp
Jun 27, 2026
Merged

feat(security): add Content-Security-Policy#6
dani-polani merged 3 commits into
mainfrom
feat/csp

Conversation

@dani-polani

@dani-polani dani-polani commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Moves GA bootstrap (dataLayer init + gtag shim) from inline <script> in app.html into the JS bundle (defer-third-party.ts), eliminating the only inline script on the page
  • Configures kit.csp in svelte.config.js with mode: 'auto' and a full source allowlist covering GTM, Google Fonts, Tally, DigitalOcean CDN, and GA
  • Adds /api/csp-report POST endpoint that logs CSP violations to stdout
  • Ships in enforcing mode (Content-Security-Policy, not report-only) — report-only QA was done locally

What's allowed

Directive Origins
script-src 'self' + nonce (SvelteKit), googletagmanager.com, tally.so
style-src 'self', 'unsafe-inline' (preview inline styles), fonts.googleapis.com
font-src 'self', data:, fonts.gstatic.com
img-src 'self', data:, blob:, DO CDN, google-analytics.com
connect-src 'self', GTM, *.google-analytics.com, fonts.gstatic.com
frame-src tally.so

Test plan

  • Open the editor, select a Google Font on a line — no console CSP errors
  • Load conlang example (custom font from static/) — fonts load
  • Export PNG / SVG / PDF / HTML — download works
  • Share via ?data= link — opens correctly
  • Open Tally feedback widget — iframe loads
  • Check Network tab: gtag.js loads, GA hits go to *.google-analytics.com
  • Check Railway logs: no [csp-report] violations from browsers
curl -sI https://aligner.tinygods.dev/ | grep -i content-security-policy

🤖 Generated with Claude Code

dani-polani and others added 3 commits June 27, 2026 14:49
@dani-polani @claude
feat(security): add Content-Security-Policy in report-only mode
06de673 
Configure kit.csp (mode auto) so SvelteKit nonces its own scripts and
script-src can stay free of 'unsafe-inline'. style-src keeps 'unsafe-inline'
for the preview's dynamic inline style attributes. Allowlist covers Google
Fonts, GA, Tally, and the example-previews CDN.

Move the GA gtag bootstrap out of app.html into bundled JS
(deferThirdPartyScripts) so the page ships no inline script. Add a
/api/csp-report endpoint that logs violations while running report-only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@dani-polani @claude
feat(security): enforce CSP (flip from report-only to directives)
c56a9d2 
QA passed in report-only mode; switching to enforcing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@dani-polani @claude
chore: fix prettier formatting in svelte.config.js
2d76e3c 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@dani-polani dani-polani merged commit c1b5cf8 into main Jun 27, 2026
2 checks passed
dani-polani added a commit that referenced this pull request Jun 27, 2026
@dani-polani
Revert "Merge pull request #6 from tinygodsdev/feat/csp"
b32a358 
This reverts commit c1b5cf8, reversing
changes made to b71b570.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dani-polani