audit F19 [security]: CSP test uses substring matching — additions of `unsafe-inline` / `unsafe-hashes` to existing directives pass undetected

[intendednull]

File: crates/web/tests/static_assets.rs:154
Severity: security
Obvious? no

index_html_declares_content_security_policy asserts contents.contains(directive) for each entry in REQUIRED_CSP_DIRECTIVES. This is one-sided: it ensures the listed baseline is present but does NOT block additions. A PR that changes the meta tag from script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' to script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://* still passes the test — the original substring is preserved verbatim in the longer string. Concretely, a PR widening img-src from 'self' https: data: blob: to 'self' https: data: blob: http: file: ships green CI. Equivalent risk for script-src, style-src, connect-src.

Fix: parse the content attribute, split on ;, and assert each directive's full token list equals an exact set; reject any extra source token not in the allow-list. The same parser also lets the test detect unintended directive removal (today the test only reports the first missing required directive, not extras). Add a dedicated negative test that fails if any directive contains unsafe-inline (except style-src) or data: for script-src.

---

Filed by /general-audit @ 88498a5 (2026-05-04). master: #600.