From 9149870380bfd1bc382b514562228c770b9eb16f Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Thu, 28 May 2026 06:24:57 +0700
Subject: [PATCH] fix(security): missing content security policy in index.html

The index.html file lacks a Content-Security-Policy meta tag. Since this is a Tauri application with a webview, without a CSP, the application is more vulnerable to XSS attacks if any user-controlled content is rendered, or if there are injection points in the rendered markdown or other content.

Affected files: index.html

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 index.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/index.html b/index.html
index 15ea39005..2e7bae876 100644
--- a/index.html
+++ b/index.html
@@ -4,6 +4,7 @@
     <meta charset="UTF-8" />
     <link rel="icon" type="image/svg+xml" href="/vite.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: tauri://localhost; connect-src 'self' tauri://localhost http://127.0.0.1:*;" />
     <title>LLM Wiki</title>
   </head>
   <body>