Skip to content

07. Security & Safety

Topic Status
Translation privacy Text stays in-browser for inference
Model/CDN trust Public HF + jsDelivr/Tailwind/Google Fonts
Auth / secrets None
SRI / CSP Not configured
Fetch monkey-patch Temporary during tokenizer load — concurrent fetch risk
XSS Limited innerHTML for controlled UI strings

Interview angle

Privacy win is real for translation text; supply-chain trust shifts to CDN and HF weights.