Skip to content

Commit e68b8c1

Browse files
lolimmlostclaude
lolimmlost
and
claude
committed
docs: Document Content Security Policy requirements
Add a CSP subsection to the web UI README documenting the policy the UI works under after the Tier 2 changes (vendored deps, no inline scripts, no inline JSON data blocks): default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self'; connect-src 'self'; img-src 'self' data:; Two notable properties: - No external CDN allowlist needed — Pico/HTMX/Alpine are all vendored. - 'unsafe-inline' is not required for script-src — all JS is in external .js files now. The only relaxation we still need is 'unsafe-eval' because Alpine.js compiles x-data / x-show / x-text expressions with new Function(...). A follow-up PR can migrate to the alpinejs-csp build to drop that requirement; this README note flags the dependency explicitly so users deploying behind strict CSP know what to allow. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1 parent dcea5a3 commit e68b8c1

1 file changed

Lines changed: 16 additions & 0 deletions

File tree

README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -775,6 +775,22 @@ The web UI ships **without built-in authentication**. Anyone who can reach the l
775775

776776
Do not expose port 9999 directly to the public internet.
777777

778+
#### Content Security Policy
779+
780+
If you serve Decluttarr behind a reverse proxy that injects a Content Security Policy, the web UI works under a strict `script-src` so long as `'unsafe-eval'` is allowed:
781+
782+
```
783+
default-src 'self';
784+
script-src 'self' 'unsafe-eval';
785+
style-src 'self';
786+
connect-src 'self';
787+
img-src 'self' data:;
788+
```
789+
790+
- All frontend dependencies (Pico CSS, HTMX, Alpine.js) are vendored under `/static/vendor/` — **no external CDN allowlist required**.
791+
- All page-level JavaScript is in external `.js` files under `/static/` — no inline `<script>` blocks, so `'unsafe-inline'` is **not** needed for `script-src`.
792+
- `'unsafe-eval'` is required because Alpine.js compiles its `x-data` / `x-show` / `x-text` expressions with `new Function(...)`. A follow-up will migrate to the `alpinejs-csp` build to remove this requirement; until then, `'unsafe-eval'` is the one CSP relaxation the UI depends on.
793+
778794

779795
## Disclaimer
780796

0 commit comments

Comments
 (0)