diff --git a/docs/superpowers/plans/2026-07-08-xss-sink-csp.md b/docs/superpowers/plans/2026-07-08-xss-sink-csp.md new file mode 100644 index 0000000..9012a02 --- /dev/null +++ b/docs/superpowers/plans/2026-07-08-xss-sink-csp.md @@ -0,0 +1,262 @@ +# XSS Sink Remediation + CSP Implementation Plan + +> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. + +**Goal:** Eliminate the `innerHTML` XSS sink in `utils.showAlert` and add a nonce-based Content-Security-Policy header to the frontend route. + +**Architecture:** Frontend `showAlert` is rewritten to build alert DOM via `document.createElement` / `textContent` (no `innerHTML`). Backend `read_root()` generates a per-request nonce, injects it into the inline `