mirror of
https://github.com/tiennm99/loto.git
synced 2026-05-21 06:24:05 +00:00
tiennm99
7c893aa3b5
Postbuild script computes SHA-256 of every inline <script> in build/index.html and rewrites build/_headers — replacing the script-src 'unsafe-inline' relaxation with the matching hashes. The hash regenerates per build (SvelteKit bootstrap embeds a per-build registration call) so the script must run on every build; chain it into both `npm run build` and `build:gh`. verify-build extended to assert build/_headers script-src no longer contains 'unsafe-inline', so the inject step's output is enforced in CI. style-src 'unsafe-inline' stays — Svelte's `style:` directives emit inline attributes that hashes can't cover.