26 lines
1.2 KiB
Markdown
26 lines
1.2 KiB
Markdown
## ADDED Requirements
|
|
|
|
### Requirement: Content Security Policy baseline
|
|
The deployed site MUST include a Content Security Policy (CSP) that is compatible with the site's runtime behavior and third-party integrations.
|
|
|
|
The CSP MUST be strict enough to avoid DevTools Issues panel findings related to CSP and MUST NOT rely on a permissive `*` wildcard for script sources.
|
|
|
|
The CSP MUST allow:
|
|
- the site's own scripts and styles
|
|
- the configured analytics script origin (Umami)
|
|
- required image origins (e.g., YouTube thumbnail host and podcast image CDN)
|
|
- required frame origins (e.g., YouTube and Spotify embeds)
|
|
|
|
#### Scenario: No CSP issues logged
|
|
- **WHEN** a user loads the homepage in Chrome
|
|
- **THEN** no CSP-related issues are reported in the DevTools Issues panel
|
|
|
|
### Requirement: Avoid inline-script CSP violations
|
|
The site SHOULD minimize the use of inline scripts to avoid requiring `unsafe-inline` in CSP.
|
|
|
|
If inline scripts are necessary, the CSP MUST use a nonce-based or hash-based approach.
|
|
|
|
#### Scenario: Inline scripts do not require unsafe-inline
|
|
- **WHEN** the site is served with CSP enabled
|
|
- **THEN** the policy does not require `script-src 'unsafe-inline'` to function
|