From 754e9c82b89e9e3a9e1d546383b4514a592a389b Mon Sep 17 00:00:00 2001
From: Johannes Marbach <n0-0ne+github@mailbox.org>
Date: Tue, 24 Mar 2026 11:34:59 +0100
Subject: [PATCH] Document why we cannot use wasm-unsafe-eval yet

Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>
---
 config/_default/hugo.toml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/_default/hugo.toml b/config/_default/hugo.toml
index eae2900f..14e4aeb3 100644
--- a/config/_default/hugo.toml
+++ b/config/_default/hugo.toml
@@ -152,7 +152,8 @@ sidebar_menu_compact = true
   [server.headers.values]
     # `style-src 'unsafe-inline'` is needed to correctly render the maths in the Olm spec:
     # https://github.com/KaTeX/KaTeX/issues/4096
-    # `script-src 'unsafe-eval'` is needed because Pagefind relies on it to load its Wasm:
+    # `script-src 'unsafe-eval'` is needed because Pagefind relies on it to load its Wasm.
+    # In future, we should switch to `wasm-unsafe-eval` but this doesn't yet work in Safari:
     # https://github.com/Pagefind/pagefind/blob/main/docs/content/docs/hosting.md
     Content-Security-Policy = "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; img-src 'self' data:; connect-src 'self'; font-src 'self' data:; media-src 'self'; child-src 'self'; form-action 'self'; object-src 'self'"
     X-XSS-Protection = "1; mode=block"