From 95cb97b48a52babdaee552c4d586d8876b6d935c Mon Sep 17 00:00:00 2001
From: fuomag9 <1580624+fuomag9@users.noreply.github.com>
Date: Fri, 10 Apr 2026 14:15:37 +0200
Subject: [PATCH] Allow cdn.jsdelivr.net in CSP for Swagger UI API docs page

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 proxy.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/proxy.ts b/proxy.ts
index 0fb907ad..6afd29bb 100644
--- a/proxy.ts
+++ b/proxy.ts
@@ -21,10 +21,10 @@ function buildCsp(nonce: string): string {
   const directives = [
     "default-src 'self'",
     isDev
-      ? `script-src 'self' 'nonce-${nonce}' 'unsafe-eval'`
-      : `script-src 'self' 'nonce-${nonce}'`,
+      ? `script-src 'self' 'nonce-${nonce}' 'unsafe-eval' https://cdn.jsdelivr.net`
+      : `script-src 'self' 'nonce-${nonce}' https://cdn.jsdelivr.net`,
     // style-src still needs 'unsafe-inline' for React JSX inline style props
-    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net",
     "font-src 'self' https://fonts.gstatic.com",
     "img-src 'self' data: blob:",
     "worker-src blob:",