[security] No Content-Security-Policy header in web app

[intendednull]

Problem

crates/web/index.html has no Content-Security-Policy meta tag or HTTP header. CSP is a critical defense-in-depth mechanism that mitigates XSS, data injection, and clickjacking attacks — especially important given the existing js_sys::eval() calls in the codebase.

Without CSP:

• Any injected script can execute without restriction
• The app can be framed by malicious sites (clickjacking)
• External resources can be loaded without constraint

Severity

MEDIUM — missing hardening layer. Combined with any XSS vector, impact escalates to critical.

Fix

Add a CSP meta tag to crates/web/index.html:

<meta http-equiv="Content-Security-Policy"
  content="default-src 'self';
           script-src 'self' 'wasm-unsafe-eval';
           style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
           font-src 'self' https://fonts.gstatic.com;
           img-src 'self' data: blob:;
           connect-src 'self' wss: ws: https:;
           frame-ancestors 'none';">

Notes:

• 'wasm-unsafe-eval' is required for WASM execution
• 'unsafe-inline' for styles can be tightened later with nonces
• connect-src needs wss: for relay WebSocket connections
• frame-ancestors 'none' prevents clickjacking
• Once eval() calls are removed (#XSS-issue), the CSP can be tightened further

Also add X-Content-Type-Options: nosniff and X-Frame-Options: DENY if served behind a reverse proxy.

Locations

• crates/web/index.html — needs CSP meta tag
• Relay server (if serving static assets) — should set CSP HTTP header