For the list of security-related issues, see security .

In particular, both of the following issues have come up again for me recently:

• Document minimal Content-Security-Policy? #301
• How to use Goldmark renderer without setting unsafe to true? #323

E.g., a few Docsy features use inlined & in-page formatting and scripts. We should consider moving away from that (as we fold in other work, such as for the page-feedback feature).

Context & related:

• [docsy] Work around inline-style CSP restriction theupdateframework/theupdateframework.io#73