feat: implement Content Security Policy headers (#139)

[wei123-web]

Description

Adds Content Security Policy (CSP) headers via vercel.json to prevent XSS attacks and unauthorized resource loading.

Changes Made

• Added vercel.json with CSP headers
• Allows FFmpeg WASM via wasm-unsafe-eval
• Allows blob URLs for video preview and download
• Allows cdn.jsdelivr.net for external resources

Related Issue

Closes #139

Type of Contribution

• Bug fix
• New feature
• Documentation update
• GSSoC contribution

Participant Info

• GitHub username: wei123-web
• Contribution level: Beginner

Checklist

• I have read the contribution guidelines
• My changes follow the project structure
• This PR is related to a valid issue
• No console.log statements left in

[vercel]

@wei123-web is attempting to deploy a commit to the magic-peach1's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

👋 Thanks for your PR, @wei123-web!

Welcome to Reframe — a browser-based video editor built for everyone 🎬

🟠 GSSoC'26 PR detected — thanks for contributing under GirlScript Summer of Code 2026!

What happens next

1. 🤖 Automated checks — build & TypeScript typecheck will run automatically
2. ✅ Vercel preview — a preview deployment will be created (requires maintainer authorization for fork PRs)
3. 👀 Code review — a maintainer will review your changes
4. 🚀 Merge — once approved, your PR will be merged!

Quick checklist

• PR title follows Conventional Commits (e.g. feat: add dark mode)
• Linked the issue this PR closes (e.g. Closes #123)
• Tested the changes locally (bun run dev)
• Build passes (bun run build)

Useful links

• 📖 CONTRIBUTING.md
• 🐛 Open Issues
• ⭐ Star the repo to support the project!

Happy coding! 🎉

[github-actions]

✅ PR Format Check Passed — @wei123-web

Basic format checks passed. A maintainer will review your code changes.

This does not mean the PR is approved — it just means the format is correct.