From 688d38120acedfee61889b4070960611e1f55beb Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 1 Jun 2026 20:17:08 +0200
Subject: [PATCH] docs(caddy): note future CSP must allow wasm-unsafe-eval for
 pdf.js

If a Content-Security-Policy is ever added, it must permit
'wasm-unsafe-eval' (script-src) and 'self' blob: (worker-src) or the
pdf.js wasm decoders and worker break and scanned PDFs render blank.
Forward-looking note so the future CSP author doesn't silently
reintroduce #708.

Refs #708

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 infra/caddy/Caddyfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/infra/caddy/Caddyfile b/infra/caddy/Caddyfile
index b3d1e971..3b47d4e6 100644
--- a/infra/caddy/Caddyfile
+++ b/infra/caddy/Caddyfile
@@ -22,6 +22,10 @@
 		# XSS landing in a privileged origin: a payload cannot silently turn
 		# on the microphone or read geolocation.
 		Permissions-Policy "camera=(), microphone=(), geolocation=()"
+		# No Content-Security-Policy is set yet. When one is added, it MUST
+		# include `script-src 'wasm-unsafe-eval'` and `worker-src 'self' blob:`
+		# or the pdf.js WebAssembly image decoders (JBIG2/CCITTFax/JPEG2000)
+		# and worker will be blocked and scanned PDFs render blank. See #708.
 		-Server
 	}
 }