fix(csp): allow cdn.jsdelivr.net for font-src so KaTeX fonts load (fixes #477)

api/helpers.py

@@ -45,7 +45,7 @@ def _security_headers(handler):
         "default-src 'self'; "
         "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
         "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
-        "img-src 'self' data:; font-src 'self' data:; connect-src 'self'; "
+        "img-src 'self' data:; font-src 'self' data: https://cdn.jsdelivr.net; connect-src 'self'; "
         "base-uri 'self'; form-action 'self'"
     )
     handler.send_header(

tests/test_issue477.py

@@ -0,0 +1,26 @@
+"""Tests for fix #477: KaTeX font-src CSP fix."""
+import pathlib
+
+REPO = pathlib.Path(__file__).parent.parent
+HELPERS_PY = (REPO / "api" / "helpers.py").read_text(encoding="utf-8")
+
+
+def test_font_src_allows_jsdelivr():
+    """font-src must include cdn.jsdelivr.net for KaTeX fonts."""
+    assert "font-src 'self' data: https://cdn.jsdelivr.net" in HELPERS_PY, (
+        "api/helpers.py CSP must allow cdn.jsdelivr.net in font-src "
+        "so KaTeX math rendering fonts load without console errors."
+    )
+
+
+def test_font_src_still_allows_self_and_data():
+    """font-src must still allow self and data: (used by other font assets)."""
+    assert "'self'" in HELPERS_PY.split("font-src")[1].split(";")[0]
+    assert "data:" in HELPERS_PY.split("font-src")[1].split(";")[0]
+
+
+def test_script_src_already_allows_jsdelivr():
+    """script-src already allows cdn.jsdelivr.net — font-src should too."""
+    assert "https://cdn.jsdelivr.net" in HELPERS_PY.split("font-src")[0], (
+        "script-src should already allow cdn.jsdelivr.net (KaTeX JS)"
+    )