From 87f9d5ff2102a667a0cb0f11be8ea5bf3cd9fb46 Mon Sep 17 00:00:00 2001 From: Torgny Bjers Date: Thu, 25 Jun 2026 22:55:35 -0400 Subject: [PATCH] fix: relax CSP to allow SvelteKit bootstrap and Cloudflare edge scripts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The strict default-src 'self' policy blocked three categories of content that cannot be handled with build-time hashes: - SvelteKit's inline bootstrap script in index.html - Scripts injected by Cloudflare at the edge (Web Analytics, etc.) whose content is unknown at build time — once any hash appears in script-src, browsers ignore 'unsafe-inline', so hash mode is not a viable escape hatch - The Cloudflare Insights beacon loaded from static.cloudflareinsights.com - The style="display:contents" attribute SvelteKit emits on its body wrapper Adds explicit script-src and style-src directives with 'unsafe-inline' and the Cloudflare Insights origin/connect-src. The dashboard is already gated by Cloudflare Access, so CSP here is defence-in-depth rather than the primary XSS control. Co-Authored-By: Claude Sonnet 4.6 --- dashboard/static/_headers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dashboard/static/_headers b/dashboard/static/_headers index 9cbd19e..f7ef77f 100644 --- a/dashboard/static/_headers +++ b/dashboard/static/_headers @@ -2,4 +2,4 @@ X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin - Content-Security-Policy: default-src 'self'; img-src 'self' https://avatars.githubusercontent.com; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self' + Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://avatars.githubusercontent.com; connect-src 'self' https://cloudflareinsights.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'