1.2 KiB
1.2 KiB
ADDED Requirements
Requirement: Content Security Policy baseline
The deployed site MUST include a Content Security Policy (CSP) that is compatible with the site's runtime behavior and third-party integrations.
The CSP MUST be strict enough to avoid DevTools Issues panel findings related to CSP and MUST NOT rely on a permissive * wildcard for script sources.
The CSP MUST allow:
- the site's own scripts and styles
- the configured analytics script origin (Umami)
- required image origins (e.g., YouTube thumbnail host and podcast image CDN)
- required frame origins (e.g., YouTube and Spotify embeds)
Scenario: No CSP issues logged
- WHEN a user loads the homepage in Chrome
- THEN no CSP-related issues are reported in the DevTools Issues panel
Requirement: Avoid inline-script CSP violations
The site SHOULD minimize the use of inline scripts to avoid requiring unsafe-inline in CSP.
If inline scripts are necessary, the CSP MUST use a nonce-based or hash-based approach.
Scenario: Inline scripts do not require unsafe-inline
- WHEN the site is served with CSP enabled
- THEN the policy does not require
script-src 'unsafe-inline'to function