/** * Prepend a Content-Security-Policy tag to HTML. * First CSP meta tag wins per spec, so any existing CSP * in the HTML is effectively overridden. */ export function injectCsp(html: string, csp: string): string { if (!csp) return html; const escaped = csp.replace(/"/g, '"'); const tag = ``; const idx = html.indexOf(''); return idx !== -1 ? html.slice(0, idx + 6) + tag + html.slice(idx + 6) : tag + html; }