From cc8cbc4d3fda1b30b3112bbf7e918aa63b52e6d0 Mon Sep 17 00:00:00 2001 From: nesquena-hermes Date: Thu, 9 Apr 2026 19:07:51 -0700 Subject: [PATCH] fix(security): add unsafe-inline and CDN allowlist to CSP script-src (#209) The CSP script-src 'self' policy blocked all inline onclick= event handlers in index.html (55+ handlers including toggleSettings(), switchPanel(), filterSessions() etc.), making the settings panel, sidebar navigation, and most interactive UI elements non-functional. Also restores https://cdn.jsdelivr.net to both script-src and style-src (required for Mermaid.js dynamic load in ui.js and Prism.js static load in index.html). This was present in the original PR #197 merge but was dropped in the v0.42.1 commit. script-src additions: - 'unsafe-inline': required for onclick=/oninput=/onchange= attributes - https://cdn.jsdelivr.net: Mermaid (dynamic) and Prism (static with SRI) style-src: retains 'unsafe-inline' + cdn.jsdelivr.net (Prism CSS) Co-authored-by: Nathan Esquenazi --- api/helpers.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/api/helpers.py b/api/helpers.py index e1689df..01ed36b 100644 --- a/api/helpers.py +++ b/api/helpers.py @@ -41,7 +41,9 @@ def _security_headers(handler): handler.send_header('Referrer-Policy', 'same-origin') handler.send_header( 'Content-Security-Policy', - "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; " + "default-src 'self'; " + "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; " + "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; " "img-src 'self' data:; font-src 'self' data:; connect-src 'self'; " "base-uri 'self'; form-action 'self'" )