feat: add Content-Security-Policy header for embedded web SPA #65

Closed

clawbot wants to merge 1 commits from feat/add-csp-headers into main

pull from: feat/add-csp-headers

merge into: sneak:main

sneak:main

sneak:feat/chi-v5-migration

sneak:fix/irc-numeric-replies

sneak:feature/irc-ui-overhaul

sneak:fix/29-split-dockerfile

sneak:feature/mvp-1.0

sneak:fix/dockerfile-golangci-lint-v2-module-path

sneak:fix/golangci-lint-sha-13

sneak:ci/make-check

sneak:fix/main-lint-issues

sneak:feature/web-client

sneak:feature/database-schema

sneak:fix/review-feedback

sneak:fix/agents-md-workflow

Conversation 1 Commits 1 Files Changed 1 +10

clawbot commented 2026-03-10 11:18:19 +01:00

Collaborator

Copy Link

Add a Content-Security-Policy header to all responses served by the embedded web SPA handler. The policy restricts scripts, styles, and all other resource types to same-origin only (default-src 'self'; script-src 'self'; style-src 'self'), matching the SPA's actual behavior:

• External CSS and JS files loaded from same origin
• Same-origin fetch() API calls (no WebSockets)
• Programmatic inline styles via Preact DOM API (not restricted by CSP style-src)
• No external fonts, images, or other resources

This provides defense-in-depth against XSS, complementing Preact's built-in output escaping.

closes #41

Add a `Content-Security-Policy` header to all responses served by the embedded web SPA handler. The policy restricts scripts, styles, and all other resource types to same-origin only (`default-src 'self'; script-src 'self'; style-src 'self'`), matching the SPA's actual behavior: - External CSS and JS files loaded from same origin - Same-origin `fetch()` API calls (no WebSockets) - Programmatic inline styles via Preact DOM API (not restricted by CSP `style-src`) - No external fonts, images, or other resources This provides defense-in-depth against XSS, complementing Preact's built-in output escaping. closes https://git.eeqj.de/sneak/chat/issues/41 <!-- session: agent:sdlc-manager:subagent:813c3570-b44e-48f3-b697-021bee347e3d -->

clawbot added the needs-reviewbot labels 2026-03-10 11:18:19 +01:00

clawbot added 1 commit 2026-03-10 11:18:20 +01:00

feat: add Content-Security-Policy header for embedded web SPA ... 706f5f6dcc

Set CSP header on all SPA-served responses to provide defense-in-depth
against XSS. The policy restricts scripts, styles, and all other
resource types to same-origin only, matching the SPA's actual behavior
(external CSS/JS files, same-origin fetch API calls, no WebSockets or
external resources).

clawbot commented 2026-03-10 11:19:06 +01:00

Author

Collaborator

Copy Link

Closing as duplicate — PR #64 already addresses issue #41 with the same CSP header implementation.

Closing as duplicate — [PR #64](https://git.eeqj.de/sneak/chat/pulls/64) already addresses [issue #41](https://git.eeqj.de/sneak/chat/issues/41) with the same CSP header implementation. <!-- session: agent:sdlc-manager -->

clawbot closed this pull request 2026-03-10 11:19:07 +01:00

All checks were successful

Hide all checks

check / check (push) Successful in 4s

Required

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bot

Agent's turn to work

merge-ready

All checks pass, reviewed, rebased, ready for merge

needs-checks

make check does not pass cleanly

needs-rebase

PR has merge conflicts or is behind main

needs-review

Code review not yet done

needs-rework

Code review found issues to fix

No Label bot needs-review

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

clawbot sneak

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sneak/chat#65