feat: add Content-Security-Policy header and externalize theme-init

[clean6378-max-it]

Closes #79

Summary

• Add a Content-Security-Policy header on every Flask response via @app.after_request in create_app(), using a module-level CSP_POLICY constant in app.py.
• Externalize the two inline <script> blocks in static/index.html to static/js/theme-init.js (theme before first paint) and static/js/hljs-theme-init.js (initial light-mode hljs stylesheet), keeping script-src free of 'unsafe-inline'.
• Add test_root_sets_csp_header in tests/test_api_integration.py asserting Content-Security-Policy on GET /.
• Document the policy and CDN sync notes in docs/architecture.md.

Test plan

• python -m pytest tests/test_api_integration.py -q
• python -m pytest -q
• npm test
• curl -I http://127.0.0.1:5000/ shows Content-Security-Policy with default-src 'self'
• Open the app in a browser — no CSP console violations; theme applies without flash

Summary by CodeRabbit

• Security

  • Added a Content-Security-Policy header to every response, using a single shared policy value.

• Improvements

  • Moved theme initialization and Highlight.js theme switching to external JavaScript modules.
  • Replaced inline UI handlers with DOM event listeners across navigation, search, sessions, and projects.
  • Apply saved light/dark theme immediately and keep Highlight.js light theme URL/SRI aligned.

• Documentation

  • Added a CSP documentation section, including maintenance/synchronization guidance.

• Tests

  • Expanded CSP integration tests and added/updated frontend consistency and theme initialization tests.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d6dd8d32-6fae-49ab-b8b2-f2b5fc699f4f

📥 Commits

Reviewing files that changed from the base of the PR and between f94064f and d76e856.

📒 Files selected for processing (14)

• app.py
• docs/architecture.md
• static/index.html
• static/js/app.js
• static/js/app.test.js
• static/js/hljs-theme-init.js
• static/js/hljs-theme-init.test.js
• static/js/projects.js
• static/js/search.js
• static/js/sessions.js
• static/js/theme-init.js
• static/js/theme-init.test.js
• tests/test_api_integration.py
• tests/test_hljs_theme_consistency.py

✅ Files skipped from review due to trivial changes (3)

• static/js/theme-init.js
• static/js/theme-init.test.js
• docs/architecture.md

🚧 Files skipped from review as they are similar to previous changes (9)

• static/js/hljs-theme-init.js
• tests/test_api_integration.py
• app.py
• static/index.html
• static/js/sessions.js
• static/js/projects.js
• static/js/app.js
• static/js/search.js
• tests/test_hljs_theme_consistency.py

---

📝 Walkthrough

Walkthrough

Adds a CSP_POLICY constant and an @app.after_request hook in app.py to set a Content-Security-Policy header on all Flask responses. Externalizes two previously inline theme-initialization <script> IIFEs from static/index.html into static/js/theme-init.js and static/js/hljs-theme-init.js. Removes inline onclick/onkeydown handlers from HTML templates and rewires all event handling in JavaScript files using addEventListener. Adds integration and regression tests, and documents the policy in docs/architecture.md.

Changes

CSP Header and Script Externalization

Layer / File(s)	Summary
CSP policy constant, after_request hook, tests, and docs app.py, tests/test_api_integration.py, docs/architecture.md	CSP_POLICY joins all directive strings into one header value; an after_request hook applies it unconditionally on every response; integration tests assert both GET / and GET /api/projects return the header matching CSP_POLICY; architecture docs enumerate the directives and the CDN sync rule.
Inline script externalization to comply with CSP static/index.html, static/js/theme-init.js, static/js/hljs-theme-init.js, static/js/theme-init.test.js, static/js/hljs-theme-init.test.js	Removes two inline IIFEs from index.html and replaces them with external script loads. theme-init.js reads localStorage.theme, normalizes unknown values to 'dark', and sets data-theme on the root element before first paint. hljs-theme-init.js conditionally updates #hljs-theme link integrity and href when data-theme is 'light'. Test suites validate default behavior, valid/invalid theme states, and missing DOM elements.
Navbar event wiring and inline handler removal static/index.html, static/js/app.js, static/js/app.test.js	Removes inline onclick attributes for hamburger toggle, navbar brand, search link, and theme toggle from the HTML navbar markup. Wires all navbar controls in app.js via DOMContentLoaded event listeners with optional chaining. Updates test mocks for toggleTheme and toggleSidebar, adds a test suite verifying each navbar control's click handler invokes the correct route/theme function, and re-exports HLJS_THEME_SHEETS for testing.
Page-specific event wiring (projects, search, sessions) static/js/projects.js, static/js/search.js, static/js/sessions.js	Removes inline onclick/onkeydown handlers from projects export buttons, search form, and workspace controls. projects.js adds bindProjectsExportButtons() helper to wire export listeners after content render; search.js rewires search form interaction via addEventListener, imports showProjects for back-link, and adds explicit input focus; sessions.js binds back-link and copy-button handlers after DOM insertion using optional chaining.
Theme SRI hash consistency regression testing tests/test_hljs_theme_consistency.py	New test helper _js_string_assignments() extracts string-literal assignments from classic JavaScript using regex. Test test_light_theme_url_and_hash_match_between_hljs_init_and_theme_js() validates that light-theme href and integrity in hljs-theme-init.js match the shared HLJS_THEME_SHEETS.light entry, preventing hash drift when CDN assets change. Renames theme source constant from APP_JS to THEME_JS.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• cppalliance/claude-code-chat-browser#20: Both PRs coordinate Highlight.js light-theme switching with SRI integrity handling by updating the #hljs-theme link's integrity before href, with matching tests around the URL+hash invariant.
• cppalliance/claude-code-chat-browser#36: Both PRs refactor the frontend's theme/Highlight.js handling around HLJS_THEME_SHEETS, including re-exporting it from static/js/app.js and updating theme-init behavior to support light/dark switching.
• cppalliance/claude-code-chat-browser#86: Both PRs update static/js/app.test.js to exercise app.js behaviors, including DOMContentLoaded handler wiring and UI event dispatch.

Suggested reviewers

• wpak-ai
• timon0305

Poem

🐇 Hop, hop, no inline scripts today,
The bunny moved them safely away.
CSP header set with care,
default-src 'self' declared right there.
Event listeners wired tight and true —
The warren is locked up secure through and through! 🔒

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 35.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main changes: adding Content-Security-Policy header and externalizing theme-init scripts, which are the primary objectives of this PR.
Linked Issues check	✅ Passed	All requirements from issue #79 are met: CSP header implemented via @app.after_request hook, theme-init externalized to static/js/theme-init.js, integration tests added for both GET / and API routes, security directives included (object-src 'none' and form-action 'self' added), documentation added, and existing test suites pass.
Out of Scope Changes check	✅ Passed	All code changes directly support CSP implementation and theme-init externalization. Changes to event handler binding in app.js, projects.js, search.js, and sessions.js are necessary refactorings to remove inline onclick handlers (required for CSP compliance). New test files and documentation additions are in-scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/csp-header

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

app.py (2)

16-29: ⚡ Quick win

Consider adding defense-in-depth CSP directives.

The policy covers the primary fetch directives, but adding the following would strengthen the security posture:

• frame-ancestors 'none' — prevents clickjacking (similar to X-Frame-Options: DENY)
• base-uri 'self' — restricts <base> tag to prevent injection attacks
• form-action 'self' — limits form submission targets
• object-src 'none' — blocks plugins like Flash

These are not required for the current functionality but provide additional protection against common attack vectors.

🛡️ Proposed additions to CSP_POLICY

 CSP_POLICY = "; ".join(
     [
         "default-src 'self'",
         "script-src 'self' https://cdnjs.cloudflare.com",
         "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com",
         "img-src 'self' data:",
         "connect-src 'self'",
         "font-src 'self'",
+        "object-src 'none'",
+        "base-uri 'self'",
+        "form-action 'self'",
+        "frame-ancestors 'none'",
     ]
 )

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app.py` around lines 16 - 29, The CSP_POLICY variable in the list being
joined is missing defense-in-depth security directives. Add the following four
directives to the list of CSP policy strings in the join call: frame-ancestors
'none' to prevent clickjacking, base-uri 'self' to restrict base tag injection,
form-action 'self' to limit form submission targets, and object-src 'none' to
block plugins. Insert these as additional string elements in the list alongside
the existing default-src, script-src, style-src, img-src, connect-src, and
font-src directives.

---

16-29: Consider adding CSP reporting for production monitoring.

The policy currently has no report-uri or report-to directive. Adding CSP violation reporting helps detect:

• Unexpected script/resource injections
• Policy misconfigurations
• Attack attempts

You can use a service like report-uri.com or a self-hosted endpoint. Example:

"report-uri https://your-domain.report-uri.com/r/d/csp/enforce"

Or for newer browsers:

"report-to csp-endpoint"

(Requires accompanying Report-To header configuration)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app.py` around lines 16 - 29, The CSP_POLICY constant is missing CSP
violation reporting directives needed for production monitoring. Add a reporting
capability to the policy by including either a report-uri directive with a URL
to a reporting service (such as report-uri.com or a self-hosted endpoint), or a
report-to directive for newer browsers (which also requires configuring a
corresponding Report-To header). Include this new directive in the list being
joined together in the CSP_POLICY definition.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@app.py`:
- Around line 16-29: The CSP_POLICY variable in the list being joined is missing
defense-in-depth security directives. Add the following four directives to the
list of CSP policy strings in the join call: frame-ancestors 'none' to prevent
clickjacking, base-uri 'self' to restrict base tag injection, form-action 'self'
to limit form submission targets, and object-src 'none' to block plugins. Insert
these as additional string elements in the list alongside the existing
default-src, script-src, style-src, img-src, connect-src, and font-src
directives.
- Around line 16-29: The CSP_POLICY constant is missing CSP violation reporting
directives needed for production monitoring. Add a reporting capability to the
policy by including either a report-uri directive with a URL to a reporting
service (such as report-uri.com or a self-hosted endpoint), or a report-to
directive for newer browsers (which also requires configuring a corresponding
Report-To header). Include this new directive in the list being joined together
in the CSP_POLICY definition.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 86761943-0383-43af-8f5a-7d8aeb518d70

📥 Commits

Reviewing files that changed from the base of the PR and between 0435b2d and aceb5c1.

📒 Files selected for processing (6)

• app.py
• docs/architecture.md
• static/index.html
• static/js/hljs-theme-init.js
• static/js/theme-init.js
• tests/test_api_integration.py

[clean6378-max-it]

@CodeRabbit please check this PR in more depth

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read all changed files for deep review
echo "=== app.py ===" && cat app.py
echo ""
echo "=== static/index.html ===" && cat static/index.html
echo ""
echo "=== static/js/theme-init.js ===" && cat static/js/theme-init.js
echo ""
echo "=== static/js/hljs-theme-init.js ===" && cat static/js/hljs-theme-init.js
echo ""
echo "=== static/js/app.js ===" && cat static/js/app.js
echo ""
echo "=== static/js/projects.js ===" && cat static/js/projects.js
echo ""
echo "=== static/js/search.js ===" && cat static/js/search.js
echo ""
echo "=== static/js/sessions.js ===" && cat static/js/sessions.js
echo ""
echo "=== tests/test_api_integration.py ===" && cat tests/test_api_integration.py
echo ""
echo "=== tests/test_hljs_theme_consistency.py ===" && cat tests/test_hljs_theme_consistency.py
echo ""
echo "=== docs/architecture.md ===" && cat docs/architecture.md

Length of output: 59827

---

🏁 Script executed:

#!/bin/bash
# Check for any shared theme or export JS files referenced
echo "=== static/js/shared/theme.js ===" && cat static/js/shared/theme.js 2>/dev/null || echo "NOT FOUND"
echo ""
echo "=== static/js/export.js ===" && cat static/js/export.js 2>/dev/null || echo "NOT FOUND"
echo ""
# List all JS files
echo "=== All JS files ===" && fd -e js . static/
echo ""
# Check if there are any remaining inline event handlers in HTML
echo "=== Remaining inline handlers in index.html ===" && rg -n "on(click|keydown|load|submit)" static/index.html || echo "NONE"
echo ""
# Check for any unsafe-inline in CSP policy
echo "=== CSP policy definition ===" && rg -n "CSP_POLICY" app.py

Length of output: 8564

---

🏁 Script executed:

#!/bin/bash
# Check test configuration / conftest
echo "=== tests/conftest.py ===" && cat tests/conftest.py 2>/dev/null || echo "NOT FOUND"
echo ""
# Check existing tests
echo "=== Full test_api_integration.py ===" && cat tests/test_api_integration.py
echo ""
# Check for vitest config or package.json
echo "=== package.json ===" && cat package.json 2>/dev/null || echo "NOT FOUND"
echo ""
# Look for any remaining window.* assignments in app.js
echo "=== window assignments in app.js ===" && rg -n "window\." static/js/app.js || echo "NONE"
echo ""
# Check for any SRI hashes in index.html
echo "=== SRI integrity attributes in index.html ===" && rg -n "integrity" static/index.html
echo ""
# Check whether hljs-theme-init.js SRI hash matches index.html
echo "=== SRI hash in hljs-theme-init.js ===" && rg -n "integrity" static/js/hljs-theme-init.js

Length of output: 8900

---

---

@clean6378-max-it — Here is a thorough review of PR #87.

---

Overall Impression

This is a well-structured CSP implementation. The inline-script externalization is done correctly, SRI hashes are consistent across all three locations (verified), inline onclick handlers have been completely removed, and the regression tests for hash drift are a particularly nice touch. Below are the issues found, grouped by severity.

---

🔴 Security — Missing object-src 'none'

object-src is not explicitly set in CSP_POLICY, so it falls back to default-src 'self', which still allows <object>/<embed> from the same origin. Since this app never uses plugins, the safer posture is:

# app.py
CSP_POLICY = "; ".join(
    [
        "default-src 'self'",
        "script-src 'self' https://cdnjs.cloudflare.com",
        "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com",
        "img-src 'self' data:",
        "connect-src 'self'",
        "font-src 'self'",
        "object-src 'none'",         # ← add this
        "base-uri 'self'",
        "frame-ancestors 'none'",
    ]
)

object-src 'none' is one of the directives CSP evaluators (e.g., Google's CSP Evaluator) flag as essential because default-src does not cover object-src in browsers that still support plugins. It also prevents data exfiltration via <object data="...">.

---

🟡 Medium — setdefault silently allows blueprints to weaken the CSP

# app.py — line 105
response.headers.setdefault("Content-Security-Policy", CSP_POLICY)

setdefault means any blueprint that calls response.headers["Content-Security-Policy"] = ... earlier in the request cycle will silently override the policy without any warning. A future contributor adding a blueprint response could inadvertently weaken or remove the CSP. Consider using response.headers.set(...) (which always overwrites) and adding a note in the docstring. If override capability is genuinely needed for specific routes, that should be opt-in and explicit.

---

🟡 Medium — CSP test only covers GET /, not API routes

# tests/test_api_integration.py
def test_root_sets_csp_header(client):
    resp = client.get("/")
    ...

The @after_request hook applies to all Flask routes, but nothing currently verifies this for blueprint routes. A future regression (e.g., the hook being accidentally removed from create_app() or scoped differently) would not be caught for API responses. A companion assertion on any API route would close this gap:

def test_api_routes_set_csp_header(client):
    resp = client.get("/api/projects")
    assert resp.status_code == 200
    assert resp.headers.get("Content-Security-Policy") == CSP_POLICY

---

🟡 Medium — Misleading variable name APP_JS in test_hljs_theme_consistency.py

# tests/test_hljs_theme_consistency.py — line 18
APP_JS = REPO_ROOT / "static" / "js" / "shared" / "theme.js"

The constant is named APP_JS but points to shared/theme.js. Any future maintainer reading a failure traceback like APP_JS has no 'light' entry will be confused. Rename to THEME_JS:

THEME_JS = REPO_ROOT / "static" / "js" / "shared" / "theme.js"

And update all three references to it in the file (_js_theme_entry call-sites and the two test functions).

---

🟡 Medium — search.js — missing optional chaining on .focus()

All event-listener wiring in showSearchPage() uses ?.addEventListener(...), but the final line does not:

// static/js/search.js — last line of showSearchPage()
document.getElementById('search-input').focus();  // ← no ?.

This will throw a TypeError if (for any reason) the element isn't in the DOM at that point. It should be:

document.getElementById('search-input')?.focus();

---

🟢 Low / Defence-in-depth — Missing form-action 'self'

The app has no <form> elements today, but without form-action, a future form addition or an injected form could POST to an external origin even with the rest of the CSP intact. Adding "form-action 'self'" to the policy costs nothing and prevents a whole class of form-based exfiltration:

"form-action 'self'",

---

🟢 Low — Unused loadingBar import in app.js

// static/js/app.js — line 5
import { toggleSidebar, closeSidebar, loadingBar } from './shared/utils.js';

loadingBar is imported in app.js but never referenced in the module body. Vitest/bundlers won't catch this as an error but it adds noise and suggests it might have been a leftover from the pre-module-split era. Can be safely removed from app.js (each route module imports it directly).

---

✅ What's Done Well

Area	Note
SRI hash consistency	Dark hash matches between index.html and shared/theme.js; light hash matches between hljs-theme-init.js and shared/theme.js — the regression tests lock this invariant
Script load ordering	theme-init.js → hljs-theme-init.js → CDN scripts — correct for synchronous pre-paint execution
integrity before href	Both hljs-theme-init.js and applyHljsTheme() set integrity first, which is the correct browser behaviour
No residual inline handlers	Confirmed zero onclick/onkeydown attributes remaining in index.html
base-uri 'self' + frame-ancestors 'none'	These two are often forgotten; good to see both present
Export button wiring	bindProjectsExportButtons correctly defers event attachment until after smoothSet
Optional chaining	Consistently applied across projects.js, sessions.js, app.js for all newly bound handlers

[clean6378-max-it]

@CodeRabbit. all are addressed now?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== CSP_POLICY in app.py ===" && rg -n "CSP_POLICY|after_request|setdefault|headers.set" app.py
echo ""
echo "=== Full CSP_POLICY block ===" && sed -n '/^CSP_POLICY/,/^)/p' app.py
echo ""
echo "=== after_request hook ===" && rg -n -A5 "after_request" app.py
echo ""
echo "=== test_api_integration.py CSP tests ===" && rg -n "csp\|CSP\|api/projects" tests/test_api_integration.py
echo ""
echo "=== test_hljs_theme_consistency.py - APP_JS/THEME_JS ===" && rg -n "APP_JS\|THEME_JS" tests/test_hljs_theme_consistency.py
echo ""
echo "=== search.js focus line ===" && rg -n "focus" static/js/search.js
echo ""
echo "=== app.js loadingBar import ===" && rg -n "loadingBar" static/js/app.js

Length of output: 2243

---

🏁 Script executed:

#!/bin/bash
echo "=== CSP test coverage in test_api_integration.py ===" && grep -n "CSP\|csp\|api/projects\|api_routes" tests/test_api_integration.py
echo ""
echo "=== THEME_JS / APP_JS in test_hljs_theme_consistency.py ===" && grep -n "APP_JS\|THEME_JS" tests/test_hljs_theme_consistency.py

Length of output: 1310

---

---

@clean6378-max-it — Yes, all 7 issues are fully addressed. Here's the confirmation:

#	Issue	Status
🔴	object-src 'none' missing from CSP	✅ Added to CSP_POLICY
🟡	setdefault allows blueprints to weaken CSP	✅ Replaced with direct response.headers["Content-Security-Policy"] = CSP_POLICY + explanatory comment
🟡	CSP test only covered GET /	✅ test_api_routes_set_csp_header added, asserts CSP on GET /api/projects
🟡	Misleading APP_JS variable name	✅ Renamed to THEME_JS in tests/test_hljs_theme_consistency.py
🟡	Missing ?. on .focus() in search.js	✅ Now ?.focus() at line 47
🟢	Missing form-action 'self'	✅ Added to CSP_POLICY
🟢	Unused loadingBar import in app.js	✅ Removed

Everything looks good — the implementation is solid. 🐇