From 85f1017514c2df236e7f284a4e6b4d5dfd05467d Mon Sep 17 00:00:00 2001
From: Hermes Agent <agent@hermes>
Date: Tue, 14 Apr 2026 21:14:33 +0000
Subject: [PATCH] fix(csp): allow cdn.jsdelivr.net for font-src so KaTeX fonts
 load (fixes #477)

---
 api/helpers.py         |  2 +-
 tests/test_issue477.py | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 tests/test_issue477.py

diff --git a/api/helpers.py b/api/helpers.py
index 127813c..92c024c 100644
--- a/api/helpers.py
+++ b/api/helpers.py
@@ -45,7 +45,7 @@ def _security_headers(handler):
         "default-src 'self'; "
         "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
         "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
-        "img-src 'self' data:; font-src 'self' data:; connect-src 'self'; "
+        "img-src 'self' data:; font-src 'self' data: https://cdn.jsdelivr.net; connect-src 'self'; "
         "base-uri 'self'; form-action 'self'"
     )
     handler.send_header(
diff --git a/tests/test_issue477.py b/tests/test_issue477.py
new file mode 100644
index 0000000..7acaada
--- /dev/null
+++ b/tests/test_issue477.py
@@ -0,0 +1,26 @@
+"""Tests for fix #477: KaTeX font-src CSP fix."""
+import pathlib
+
+REPO = pathlib.Path(__file__).parent.parent
+HELPERS_PY = (REPO / "api" / "helpers.py").read_text(encoding="utf-8")
+
+
+def test_font_src_allows_jsdelivr():
+    """font-src must include cdn.jsdelivr.net for KaTeX fonts."""
+    assert "font-src 'self' data: https://cdn.jsdelivr.net" in HELPERS_PY, (
+        "api/helpers.py CSP must allow cdn.jsdelivr.net in font-src "
+        "so KaTeX math rendering fonts load without console errors."
+    )
+
+
+def test_font_src_still_allows_self_and_data():
+    """font-src must still allow self and data: (used by other font assets)."""
+    assert "'self'" in HELPERS_PY.split("font-src")[1].split(";")[0]
+    assert "data:" in HELPERS_PY.split("font-src")[1].split(";")[0]
+
+
+def test_script_src_already_allows_jsdelivr():
+    """script-src already allows cdn.jsdelivr.net — font-src should too."""
+    assert "https://cdn.jsdelivr.net" in HELPERS_PY.split("font-src")[0], (
+        "script-src should already allow cdn.jsdelivr.net (KaTeX JS)"
+    )