Security: CSP policy allows unsafe inline scripts and styles on admin/API surface

[tuanaiseo]

Problem

The CSP builder includes script-src 'unsafe-inline' and style-src 'unsafe-inline' for /_emdash routes. If any XSS injection occurs, inline script execution is permitted, substantially reducing CSP's mitigation value.

Severity: medium
File: packages/core/src/astro/middleware/csp.ts

Solution

Move to nonce- or hash-based CSP for scripts/styles and remove 'unsafe-inline'. If inline styles are unavoidable, keep them scoped and remove unsafe inline scripts first. Add report-uri/report-to for CSP violation monitoring.

Changes

• packages/core/src/astro/middleware/csp.ts (modified)

Testing

• Existing tests pass
• Manual review completed
• No new warnings/errors introduced

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 619f790

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[ascorbic]

This just adds the rule without any indication as to whether this breaks the admin