From 988b7023329662f6785d7c1f67c1318300c28ab0 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 6 Jun 2026 01:00:39 +0000
Subject: [PATCH] fix(security): harden export CSP and mitigate tabnabbing

Co-authored-by: d-oit <6849456+d-oit@users.noreply.github.com>
---
 src/features/export/ExportPanel.tsx | 1 +
 src/lib/export-core.ts              | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/features/export/ExportPanel.tsx b/src/features/export/ExportPanel.tsx
index b07a8a0c..b12215c3 100644
--- a/src/features/export/ExportPanel.tsx
+++ b/src/features/export/ExportPanel.tsx
@@ -80,6 +80,7 @@ const ExportPanel: React.FC = () => {
       const data = await fetchAllExportData(repository);
       const printWindow = window.open('', '_blank');
       if (!printWindow) throw new Error('Popup blocked');
+      printWindow.opener = null;
       const printDoc = printWindow.document;
       printDoc.open();
       printDoc.write(generatePrintHtml(data.entities, data.claims));
diff --git a/src/lib/export-core.ts b/src/lib/export-core.ts
index 49e688db..27349bc4 100644
--- a/src/lib/export-core.ts
+++ b/src/lib/export-core.ts
@@ -49,7 +49,7 @@ export function generateSiteHtml(data: ExportData): string {
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'unsafe-inline'; img-src 'self' data:; script-src 'none';">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'unsafe-inline'; img-src 'self' data:; script-src 'none'; object-src 'none'; base-uri 'none'; form-action 'none';">
   <title>Knowledge Base</title>
   <style>
     body { font-family: system-ui, -apple-system, sans-serif; max-width: 900px; margin: 0 auto; padding: 2rem; line-height: 1.6; color: #1e293b; background: #f8fafc; }
@@ -188,7 +188,7 @@ export function generatePrintHtml(entities: Entity[], claims: Record<string, Cla
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'unsafe-inline'; img-src 'self' data:; script-src 'none';">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'unsafe-inline'; img-src 'self' data:; script-src 'none'; object-src 'none'; base-uri 'none'; form-action 'none';">
   <title>Knowledge Base Export</title>
   <style>
     body { font-family: system-ui, -apple-system, sans-serif; max-width: 800px; margin: 0 auto; padding: 2rem; line-height: 1.6; color: #1e293b; }