Generated code must be aligned with security headers (e.g. no unsave JS eval). The permissions policy is especially relevant when changing any code related with the `navigator` object.
Install
mkdir -p .claude/skills/security-headers && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16005" && unzip -o skill.zip -d .claude/skills/security-headers && rm skill.zipInstalls to .claude/skills/security-headers
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Generated code must be aligned with security headers (e.g. no unsave JS eval). The permissions policy is especially relevant when changing any code related with the `navigator` object.About this skill
Security headers
Preview
Start local server with production build and applied security headers:
yarn workspace @trezor/suite-web preview
Build & Preview
Build web app and run the preview command:
yarn workspace @trezor/suite-web build:preview
or
root level command:
yarn suite:build:web:preview
Security Headers
Permissions-Policy Rationale (Enabled Directives)
usb=(self):packages/connect/src/index-browser.ts(window.navigator.usb.requestDevice(...))packages/transport/src/transports/webusb.browser.ts
camera=(self):packages/suite/src/components/suite/modals/ReduxModal/UserContextModal/QrScannerModal/CameraQRReader.tsx(react-zxingcamera scanner used for QR input)
clipboard-write=(self):packages/dom-utils/src/copyToClipboard.ts(navigator.clipboard.writeText(...))packages/analytics-docs/src/components/AddEventModal/CopyButton.tsxpackages/analytics-docs/src/components/EventCard.tsx
local-network-access=(self):packages/suite/src/hooks/suite/useLocalNetworkAccessPermission.ts(navigator.permissions.query({ name: 'local-network-access' }))packages/connect-web/src/impl/core-in-suite-desktop.ts(permission state check for websocket connectivity error handling)
clipboard-read is intentionally not enabled because current direct usage is test-only (suite/e2e/tests/wallet/receive.test.ts) rather than Suite Web runtime behavior.
Disabled directives (=()) are intentionally blocked because there is no direct web runtime use at this time.
Direct Code References
- Header values source:
packages/suite-web/constants/webSecurityHeaders.ts - Header type constraints:
packages/suite-web/types/securityHeaders.ts
MDN references: