The docs site currently has no CSP headers. The portal has a comprehensive CSP in its .ic-assets.json — we should add one for the docs site too.
Directives to account for:
script-src: 'self', 'unsafe-inline' (Starlight head scripts), Matomo domainsconnect-src: 'self' (Pagefind), Matomo domainsstyle-src: 'self', 'unsafe-inline' (Starlight inline styles)font-src: 'self' (CircularXX)img-src: 'self', data:default-src: 'self'object-src: 'none'base-uri: 'self'frame-ancestors: 'none'form-action: 'self'upgrade-insecure-requests
Reference: portal's CSP in static/.ic-assets.json
The docs site currently has no CSP headers. The portal has a comprehensive CSP in its
.ic-assets.json— we should add one for the docs site too.Directives to account for:
script-src:'self','unsafe-inline'(Starlight head scripts), Matomo domainsconnect-src:'self'(Pagefind), Matomo domainsstyle-src:'self','unsafe-inline'(Starlight inline styles)font-src:'self'(CircularXX)img-src:'self',data:default-src:'self'object-src:'none'base-uri:'self'frame-ancestors:'none'form-action:'self'upgrade-insecure-requestsReference: portal's CSP in
static/.ic-assets.json