Current State
The CSP at line 55-63 includes:
script-src 'self' 'unsafe-inline' https://unpkg.comstyle-src 'self' 'unsafe-inline' ...
The 'unsafe-inline' directive weakens the CSP significantly, allowing inline scripts/styles which could be vectors for XSS attacks.
Why It Exists
All JavaScript and CSS is currently in the single index.html file, requiring 'unsafe-inline' to function.
Proposed Solution
- Extract JavaScript to
app.js
- Extract CSS to
styles.css
- Add nonce-based CSP for any remaining inline scripts
- Remove
'unsafe-inline' from CSP
<meta http-equiv="Content-Security-Policy" content="
script-src 'self' 'nonce-{random}' https://unpkg.com;
style-src 'self' https://fonts.googleapis.com ...;
">Trade-offs
- Requires build tooling or manual file splitting
- Conflicts with the intentional single-file architecture
- May not be worth it for a demo/portfolio project
Priority
Medium - The current CSP still blocks most attack vectors. This is a hardening measure for production use.
Current State
The CSP at line 55-63 includes:
script-src 'self' 'unsafe-inline' https://unpkg.comstyle-src 'self' 'unsafe-inline' ...The
'unsafe-inline'directive weakens the CSP significantly, allowing inline scripts/styles which could be vectors for XSS attacks.Why It Exists
All JavaScript and CSS is currently in the single
index.htmlfile, requiring'unsafe-inline'to function.Proposed Solution
app.jsstyles.css'unsafe-inline'from CSPTrade-offs
Priority
Medium - The current CSP still blocks most attack vectors. This is a hardening measure for production use.