From e8a4f637dfa10510b350b95efaa4b5eb9a8f6f28 Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Mon, 16 Feb 2026 19:01:17 -0800
Subject: Fix CSP violation on login page by moving inline script to external
 file

---
 web/static/login.html      | 10 +++++-----
 web/static/login_script.js |  8 ++++++++
 2 files changed, 13 insertions(+), 5 deletions(-)
 create mode 100644 web/static/login_script.js

(limited to 'web/static')

diff --git a/web/static/login.html b/web/static/login.html
index c469528..49034a6 100644
--- a/web/static/login.html
+++ b/web/static/login.html
@@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <html lang="en">
+
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
@@ -112,6 +113,7 @@
         }
     </style>
 </head>
+
 <body>
     <div class="login-card">
         <h1>Welcome Back</h1>
@@ -127,13 +129,11 @@
             </div>
             <button type="submit">Sign In</button>
         </form>
-        <script>
-            var match = document.cookie.split('; ').find(function(row) { return row.startsWith('csrf_token='); });
-            if (match) document.getElementById('csrf_token').value = match.split('=')[1];
-        </script>
+        <script src="/static/login_script.js"></script>
         <div class="footer">
             Neko RSS Reader
         </div>
     </div>
 </body>
-</html>
+
+</html>
\ No newline at end of file
diff --git a/web/static/login_script.js b/web/static/login_script.js
new file mode 100644
index 0000000..75d29f4
--- /dev/null
+++ b/web/static/login_script.js
@@ -0,0 +1,8 @@
+window.addEventListener('DOMContentLoaded', function () {
+    var match = document.cookie.split('; ').find(function (row) { return row.startsWith('csrf_token='); });
+    if (match) {
+        var token = match.split('=')[1];
+        var input = document.getElementById('csrf_token');
+        if (input) input.value = token;
+    }
+});
-- 
cgit v1.2.3