cc8cbc4d3f
The CSP script-src 'self' policy blocked all inline onclick= event handlers in index.html (55+ handlers including toggleSettings(), switchPanel(), filterSessions() etc.), making the settings panel, sidebar navigation, and most interactive UI elements non-functional. Also restores https://cdn.jsdelivr.net to both script-src and style-src (required for Mermaid.js dynamic load in ui.js and Prism.js static load in index.html). This was present in the original PR #197 merge but was dropped in the v0.42.1 commit. script-src additions: - 'unsafe-inline': required for onclick=/oninput=/onchange= attributes - https://cdn.jsdelivr.net: Mermaid (dynamic) and Prism (static with SRI) style-src: retains 'unsafe-inline' + cdn.jsdelivr.net (Prism CSS) Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>
3.3 KiB
3.3 KiB