ci: add CSP directives

[moabu]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #issue-number-here

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• Chores
  • Documentation build now injects a conditional Content-Security-Policy meta tag for the docs site. When enabled via configuration, this policy controls permitted script sources (including inline/eval and a trusted CDN) and allowed external connections, providing adjustable protection for documentation pages across different deployment environments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 89c8de14-aa3d-43d1-8ad8-2f853f49d92c

📥 Commits

Reviewing files that changed from the base of the PR and between 31f7931 and c8eaa95.

📒 Files selected for processing (1)

• docs/overrides/main.html

---

📝 Walkthrough

Walkthrough

Adds an extrahead block to the docs template override that preserves existing head content and conditionally injects a Content-Security-Policy meta tag when config.extra.enable_reo_flag is true, allowing scripts from specific sources and permitting connections to a designated API domain.

Changes

Cohort / File(s)	Summary
Documentation Template Override docs/overrides/main.html	Adds an extrahead block that calls super() and conditionally injects a Content-Security-Policy meta tag when config.extra.enable_reo_flag is enabled; CSP permits self, unsafe-inline, unsafe-eval, https://static.reo.dev for scripts and https://api.reo.dev for connections.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: fix docs build #13232: Modifies docs/overrides/main.html and conditions REO-related behavior on config.extra.enable_reo_flag; related to CSP/script control changes.
• fix(ci): add Reo script for tracking #13118: Adds REO script and JS asset injection guarded by enable_reo_flag in docs/overrides/main.html; directly related to enabling Reo integration.

Suggested labels

area-documentation

Suggested reviewers

• ossdhaval

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete. The Target issue placeholder remains unfilled ('closes #issue-number-here'), Implementation Details are empty, and all required test/documentation checkboxes are unchecked with no confirmation of docs impact.	Fill in the target issue number, provide Implementation Details explaining the CSP configuration and its purpose, and check relevant test/documentation checkboxes or confirm no docs impact.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: add CSP directives' is clear and specific, accurately summarizing the main change of adding Content Security Policy directives to the template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci-add-reo-csp

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/overrides/main.html`:
- Line 7: Update the Content-Security-Policy meta tag to remove the unnecessary
'unsafe-eval' token (and optionally drop 'unsafe-inline' if verified
unnecessary); specifically edit the meta element that sets
script-src/connect-src in main.html and remove 'unsafe-eval' from the script-src
list, confirming that docs/assets/js/reo.js only injects a <script> element (no
eval/Function usage) before removing 'unsafe-inline' as well.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0924fbe4-6757-478b-b9ab-1690e4594d50

📥 Commits

Reviewing files that changed from the base of the PR and between 5aa4d67 and 31f7931.

📒 Files selected for processing (1)

• docs/overrides/main.html

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.