b8e01f997d
If a Content-Security-Policy is ever added, it must permit 'wasm-unsafe-eval' (script-src) and 'self' blob: (worker-src) or the pdf.js wasm decoders and worker break and scanned PDFs render blank. Forward-looking note so the future CSP author doesn't silently reintroduce #708. Refs #708 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>