MoodNotes/index.html at main · PStarH/MoodNotes · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<!doctype html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <link rel="icon" type="image/png" href="/icon1.png" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>MoodsNote</title>

    <!--
      Content Security Policy (CSP)

      Protects against XSS attacks by controlling which resources can be loaded.

      Directives explained:
      - default-src: Fallback for other resource types
      - script-src: JavaScript execution sources (unsafe-eval needed for Vite HMR in dev)
      - style-src: CSS sources (unsafe-inline needed for Vue scoped styles)
      - img-src: Image sources (data: for base64, blob: for file uploads)
      - media-src: Audio/video sources (blob: for file uploads)
      - connect-src: Fetch/XHR/WebSocket sources
      - font-src: Web font sources
      - object-src: Plugin sources (none for security)
      - base-uri: Restricts <base> tag URLs
      - form-action: Restricts form submission targets

      Note: frame-ancestors and X-Frame-Options must be set via HTTP headers,
      not meta tags. Configure these in your production server (nginx, Apache, etc.)
    -->
    <meta http-equiv="Content-Security-Policy" content="
      default-src 'self';
      script-src 'self' 'unsafe-eval';
      style-src 'self' 'unsafe-inline';
      img-src 'self' data: blob:;
      media-src 'self' blob:;
      connect-src 'self';
      font-src 'self';
      object-src 'none';
      base-uri 'self';
      form-action 'self';
    ">

    <!-- Additional Security Headers -->
    <meta http-equiv="X-Content-Type-Options" content="nosniff">
    <meta name="referrer" content="no-referrer">
  </head>
  <body>
    <div id="app"></div>
    <script type="module" src="/src/main.ts"></script>
  </body>
</html>