Security: Move CSP to HTTP headers and externalize inline scripts #39
Conversation
- Move Content-Security-Policy from meta tags to _headers file - Add frame-ancestors 'none' (only works in HTTP headers) - Fix font-src to allow data: URIs - Add contact.unityailab.com to connect-src - Add base-uri and form-action directives Externalize inline scripts for CSP compliance: - page-init.js: Common FOUC prevention - home-init.js: Home page visitor tracking - ai/ai-init.js: AI page visitor count with auto-refresh - about/about-contact.js: About page contact form - apps/apps-init.js: Apps page initialization - contact/contact-form.js: Contact form with API fallback - services/services.js: Service modals and form 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Unity-Lab-AI.github.io/_headers
Line 7 in 424d62f
Inline service modals blocked by new CSP
The new CSP header at line 7 removes 'unsafe-inline' from script-src, but the services page still uses inline onclick handlers to open its modals (e.g., services/index.html lines 565‑575). With this header served, browsers will block those inline handlers, so clicking any service card no longer calls openServiceModal, effectively breaking the modal interactions on the Services page.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
1 participant
Externalize inline scripts for CSP compliance:
🤖 Generated with Claude Code