From f5de81719f5082e20d029dad4af48eac4350fddb Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 25 Feb 2026 07:32:19 +0000
Subject: [PATCH] Add Content Security Policy (CSP)

- Configure `kit.csp` in `svelte.config.js` with `mode: 'hash'`.
- Define strict directives for scripts, styles, images, connections, and frames.
- Move `%sveltekit.head%` to `<head>` in `src/app.html`.
- Move inline analytics script to `static/gtag.js`.
- Clean up unused imports in `src/routes/privacy/+page.svelte`.

Co-authored-by: Randomblock1 <19873803+Randomblock1@users.noreply.github.com>
---
 src/app.html                    |  2 +-
 src/lib/Analytics.svelte        | 11 +---------
 src/routes/+layout.svelte       |  3 +--
 src/routes/install/+page.svelte |  5 ++++-
 src/routes/privacy/+page.svelte |  4 ----
 static/gtag.js                  |  6 ++++++
 svelte.config.js                | 36 +++++++++++++++++++++++++++++++++
 7 files changed, 49 insertions(+), 18 deletions(-)
 create mode 100644 static/gtag.js

diff --git a/src/app.html b/src/app.html
index f850d61..7272712 100644
--- a/src/app.html
+++ b/src/app.html
@@ -8,9 +8,9 @@
         <link rel="mask-icon" href="%sveltekit.assets%/maskable_icon.png" color="#1d232a" />
         <meta name="theme-color" content="#641ae6" />
         <meta name="mobile-web-app-capable" content="yes" />
+        %sveltekit.head%
     </head>
     <body data-sveltekit-preload-data="hover">
-        %sveltekit.head%
         <div style="display: contents">%sveltekit.body%</div>
     </body>
 </html>
diff --git a/src/lib/Analytics.svelte b/src/lib/Analytics.svelte
index a066d0b..3dfba8d 100644
--- a/src/lib/Analytics.svelte
+++ b/src/lib/Analytics.svelte
@@ -14,14 +14,5 @@
 <svelte:head>
     <script async src="https://www.googletagmanager.com/gtag/js?id=G-0RFZS8YNB7">
     </script>
-    <script>
-        window.dataLayer = window.dataLayer || [];
-
-        function gtag() {
-            dataLayer.push(arguments);
-        }
-
-        gtag('js', new Date());
-        gtag('config', 'G-0RFZS8YNB7');
-    </script>
+    <script src="/gtag.js"></script>
 </svelte:head>
diff --git a/src/routes/+layout.svelte b/src/routes/+layout.svelte
index 4f83fac..014a0d9 100644
--- a/src/routes/+layout.svelte
+++ b/src/routes/+layout.svelte
@@ -54,8 +54,7 @@
 <div class="flex flex-wrap sm:flex-row">
     <a href={resolve('/')} class="flex items-center m-4">
         <img src="favicon.svg" alt="PDFCrypt" class="h-16 align-middle mx-4" />
-        <h1
-            class="text-4xl rounded-lg p-2.5 border-2 bg-primary text-white border-transparent">
+        <h1 class="text-4xl rounded-lg p-2.5 border-2 bg-primary text-white border-transparent">
             PDFCrypt
         </h1>
     </a>
diff --git a/src/routes/install/+page.svelte b/src/routes/install/+page.svelte
index 99e0c53..c8d4ad4 100644
--- a/src/routes/install/+page.svelte
+++ b/src/routes/install/+page.svelte
@@ -58,7 +58,10 @@
         <div class="tile m-4 h-fit">
             <h2 class="text-2xl rounded-lg p-2.5 bg-primary text-white mb-4 w-fit">MacOS</h2>
             <ol>
-                <li>- Open the app in Safari. If you're using a Chrome-based browser, follow the Windows instructions instead.</li>
+                <li>
+                    - Open the app in Safari. If you're using a Chrome-based browser, follow the
+                    Windows instructions instead.
+                </li>
                 <li>- Click the share button in the address bar.</li>
                 <li>- Click "Add to Dock".</li>
             </ol>
diff --git a/src/routes/privacy/+page.svelte b/src/routes/privacy/+page.svelte
index b790a0d..b788715 100644
--- a/src/routes/privacy/+page.svelte
+++ b/src/routes/privacy/+page.svelte
@@ -1,7 +1,3 @@
-<script>
-    import { resolve } from '$app/paths';
-</script>
-
 <svelte:head>
     <title>PDFCrypt - Privacy Policy</title>
 </svelte:head>
diff --git a/static/gtag.js b/static/gtag.js
new file mode 100644
index 0000000..64eba88
--- /dev/null
+++ b/static/gtag.js
@@ -0,0 +1,6 @@
+window.dataLayer = window.dataLayer || [];
+function gtag() {
+    dataLayer.push(arguments);
+}
+gtag('js', new Date());
+gtag('config', 'G-0RFZS8YNB7');
diff --git a/svelte.config.js b/svelte.config.js
index 426394d..d6fbd13 100644
--- a/svelte.config.js
+++ b/svelte.config.js
@@ -13,6 +13,42 @@ const config = {
         }),
         paths: {
             base: process.argv.includes('dev') ? '' : process.env.BASE_PATH
+        },
+        csp: {
+            mode: 'hash',
+            directives: {
+                'default-src': ['self'],
+                'script-src': [
+                    'self',
+                    'wasm-unsafe-eval',
+                    'https://www.googletagmanager.com',
+                    'https://get.microsoft.com'
+                ],
+                'style-src': ['self', 'unsafe-inline'],
+                'img-src': [
+                    'self',
+                    'data:',
+                    'https://www.google-analytics.com',
+                    'https://www.googletagmanager.com',
+                    'https://get.microsoft.com',
+                    'https://stats.g.doubleclick.net'
+                ],
+                'connect-src': [
+                    'self',
+                    'https://www.google-analytics.com',
+                    'https://analytics.google.com',
+                    'https://www.googletagmanager.com',
+                    'https://get.microsoft.com',
+                    'https://apps.microsoft.com',
+                    'https://stats.g.doubleclick.net'
+                ],
+                'font-src': ['self'],
+                'frame-src': ['self', 'https://get.microsoft.com'],
+                'worker-src': ['self'],
+                'manifest-src': ['self'],
+                'object-src': ['none'],
+                'base-uri': ['self']
+            }
         }
     }
 };