From 6a0aca1a6cc92f8e89838a519f360f9baf3ea422 Mon Sep 17 00:00:00 2001
From: hobokenchicken <dustin@dustin.coffee>
Date: Sat, 7 Mar 2026 00:28:49 +0000
Subject: [PATCH] fix(dashboard): relax CSP to allow external CDNs for UI
 libraries

This commit updates the Content Security Policy to allow scripts, styles, and fonts from cdn.jsdelivr.net, cdnjs.cloudflare.com, fonts.googleapis.com, and fonts.gstatic.com. This resolves the 'luxon is not defined' error and fixes the broken charts by allowing Chart.js, Luxon, FontAwesome, and Google Fonts to load properly in the dashboard.
---
 src/dashboard/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/dashboard/mod.rs b/src/dashboard/mod.rs
index 591343ac..4c0ed61a 100644
--- a/src/dashboard/mod.rs
+++ b/src/dashboard/mod.rs
@@ -83,7 +83,7 @@ pub fn router(state: AppState) -> Router {
     // Security headers
     let csp_header: SetResponseHeaderLayer<HeaderValue> = SetResponseHeaderLayer::overriding(
         header::CONTENT_SECURITY_POLICY,
-        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' ws:;"
+        "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://fonts.googleapis.com; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self' ws:;"
             .parse()
             .unwrap(),
     );