Skip to content

Commit 9a27345

Browse files
authored
Merge pull request #55 from sumitsahoo/dev
Enhance ErrorBoundary, improve file handling, and update dependencies
2 parents d1acacb + 35f6e27 commit 9a27345

56 files changed

Lines changed: 2890 additions & 2196 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

SECURITY.md

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,17 @@ CloakPDF is a **client-side only** application — all PDF processing happens in
2727

2828
## Dependency Vulnerabilities
2929

30-
Known dependency vulnerabilities are tracked automatically via GitHub Dependabot and the weekly security audit workflow. If you spot one that has not been addressed, please follow the disclosure process above.
30+
Known dependency vulnerabilities are tracked automatically via:
31+
32+
- **GitHub Dependabot** — daily checks against the GitHub Advisory Database
33+
- **OSV-Scanner** — weekly CI workflow against the Open Source Vulnerabilities database
34+
35+
If you spot one that has not been addressed, please follow the disclosure process above.
36+
37+
## Defence-in-Depth Controls
38+
39+
- **Content Security Policy** — declared via `<meta http-equiv="Content-Security-Policy">` in [`index.html`](./index.html). `connect-src` is restricted to the application origin and the public CDNs that serve the Tesseract OCR engine and language data, making it physically impossible for the page to upload user file content elsewhere.
40+
- **Subresource integrity** — all first-party JavaScript is bundled and served from the same origin under hashed filenames.
41+
- **No tracking or analytics** — the page makes no third-party network requests at runtime beyond what is listed above.
42+
43+
_Last reviewed: 2026-04-17._

index.html

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,17 @@
33
<head>
44
<meta charset="UTF-8" />
55

6+
<!--
7+
Content Security Policy — enforces the "no uploads, 100% private" promise.
8+
`connect-src` is intentionally narrow: only the CDNs that deliver the
9+
Tesseract OCR engine and language data are permitted. There is no path
10+
for user file content to leave the browser.
11+
-->
12+
<meta
13+
http-equiv="Content-Security-Policy"
14+
content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval' blob: https://cdn.jsdelivr.net https://unpkg.com; worker-src 'self' blob: https://cdn.jsdelivr.net https://unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' blob: https://cdn.jsdelivr.net https://unpkg.com https://tessdata.projectnaptha.com; object-src 'none'; base-uri 'self'; form-action 'self'; manifest-src 'self'"
15+
/>
16+
617
<!-- SVG favicon (primary + only) -->
718
<link rel="icon" href="/icons/favicon.svg" type="image/svg+xml" />
819

@@ -16,6 +27,14 @@
1627
<meta name="theme-color" content="#2563EB" />
1728
<meta name="color-scheme" content="light dark" />
1829

30+
<!-- Preload primary font so first paint uses Inter, not the system fallback -->
31+
<link rel="preload" href="/fonts/InterVariable.woff2" as="font" type="font/woff2" crossorigin />
32+
33+
<!-- Resource hints for runtime CDNs (PDF.js worker, Tesseract.js core + lang data) -->
34+
<link rel="preconnect" href="https://cdn.jsdelivr.net" crossorigin />
35+
<link rel="preconnect" href="https://unpkg.com" crossorigin />
36+
<link rel="dns-prefetch" href="https://tessdata.projectnaptha.com" />
37+
1938
<!-- iOS PWA -->
2039
<link rel="apple-touch-icon" href="/icons/apple-touch-icon.png" />
2140
<meta name="mobile-web-app-capable" content="yes" />

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@
3030
"@vitejs/plugin-react": "^6.0.1",
3131
"@voidzero-dev/vite-plus-core": "^0.1.18",
3232
"tailwindcss": "^4.2.2",
33-
"typescript": "^6.0.2",
33+
"typescript": "^6.0.3",
3434
"vite": "npm:@voidzero-dev/vite-plus-core@^0.1.18",
3535
"vite-plugin-pwa": "^1.2.0",
3636
"vite-plus": "latest"

pnpm-lock.yaml

Lines changed: 29 additions & 29 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)