From 40aa9aa22312aa98cfca5e3c9822844c5b419feb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20B=C3=A1ch?=
 <45133811+barttran2k@users.noreply.github.com>
Date: Tue, 7 Apr 2026 20:03:47 +0700
Subject: [PATCH] fix(security): no content security policy (csp) defined
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The HTML page loads external scripts and stylesheets from CDNs and fetches content from `raw.githubusercontent.com`, but no Content-Security-Policy is defined (neither via meta tag nor headers). This makes XSS exploitation easier if any injection vector is found.

Affected files: index.html

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
---
 index.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/index.html b/index.html
index 5f90ae39..61aa82c7 100644
--- a/index.html
+++ b/index.html
@@ -2,6 +2,7 @@
 <html lang="en">
 <head>
 	<meta charset="utf-8">
+	<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'unsafe-inline' https://cdn.jsdelivr.net; connect-src https://raw.githubusercontent.com; img-src 'self' https:; font-src https://cdn.jsdelivr.net;">
 	<meta name="viewport" content="width=device-width, initial-scale=1">
 	<title>Android FOSS</title>
 	<link rel="stylesheet" href="">