Harden Export Security and Mitigate Tabnabbing

[d-oit]

This change implements two concrete security enhancements for the application's export functionality:

1. Harden Content Security Policy (CSP) for HTML Exports: Updated generateSiteHtml and generatePrintHtml in src/lib/export-core.ts to include object-src 'none', base-uri 'none', and form-action 'none'. This significantly reduces the attack surface of exported knowledge bases by preventing plugin execution, <base> tag hijacking, and unauthorized form submissions.
2. Mitigate Tabnabbing in PDF Export: Updated the handleExportPDF function in src/features/export/ExportPanel.tsx to set printWindow.opener = null when opening the print popup. This prevents the newly opened window from accessing or manipulating the original application window via the window.opener property.

These changes align with 2026 security best practices for local-first applications and static data exports. All tests passed, and frontend verification confirmed no regressions in the export flow.

---

PR created automatically by Jules for task 10640798830242734631 started by @d-oit

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[deepsource-io]

DeepSource Code Review

We reviewed changes in 8afa028...988b702 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

Important

Some issues found as part of this review are outside of the diff in this pull request and aren't shown in the inline review comments due to GitHub's API limitations. You can see those issues on the DeepSource dashboard.

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
JavaScript		Jun 6, 2026 1:00a.m.	Review ↗
Python		Jun 6, 2026 1:00a.m.	Review ↗
Shell		Jun 6, 2026 1:00a.m.	Review ↗
SQL		Jun 6, 2026 1:00a.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}