polished items from the re-audit report by Claude, add Ubuntu live ISO method to README

2026-03-07 09:57:50 +08:00 · 2026-02-19 22:58:34 +08:00
parent 4da39b7b89
commit f1b0c0738e
8 changed files with 2196 additions and 1875 deletions
--- a/dist-tails/index.html
+++ b/dist-tails/index.html
@@ -2,15 +2,15 @@
 <html lang="en">

 <head>
-<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self' blob: data:; font-src 'self'; object-src 'none'; media-src 'self' blob:; base-uri 'self'; form-action 'none';" data-env="tails">
  <meta charset="UTF-8" />
  <link rel="icon" type="image/svg+xml" href="/vite.svg" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <title>SeedPGP Web</title>

-  <!-- CSP is enforced by _headers file in production deployment -->
-  <!-- No CSP in dev mode to allow Vite HMR -->
-  <script type="module" crossorigin src="./assets/index-DTLOeMVw.js"></script>
+  <!-- Baseline CSP for generic builds.
+       TailsOS builds override this via Makefile (build-tails target). -->
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self' blob: data:; font-src 'self'; object-src 'none'; media-src 'self' blob:; base-uri 'self'; form-action 'none';" data-env="tails">
+  <script type="module" crossorigin src="./assets/index-Bwz_2nW3.js"></script>
  <link rel="stylesheet" crossorigin href="./assets/index-DW74Yc8k.css">
 </head>

@@ -18,4 +18,4 @@
  <div id="root"></div>
 </body>

-</html>
+</html>