From bd5ca2dd985c34124ea2b3d7716ad186d5e92735 Mon Sep 17 00:00:00 2001
From: hobokenchicken <dustin@dustin.coffee>
Date: Sat, 7 Mar 2026 00:45:30 +0000
Subject: [PATCH] fix(dashboard): allow unsafe-inline scripts in CSP

This commit adds 'unsafe-inline' to the script-src CSP directive. The frontend dashboard heavily relies on inline event handlers (e.g., onclick=...) dynamically generated via template literals in its vanilla JavaScript architecture. Without this directive, modern browsers block these handlers, rendering interactive elements like the Config button completely inert.
---
 src/dashboard/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/dashboard/mod.rs b/src/dashboard/mod.rs
index 4c0ed61a..460e5f71 100644
--- a/src/dashboard/mod.rs
+++ b/src/dashboard/mod.rs
@@ -83,7 +83,7 @@ pub fn router(state: AppState) -> Router {
     // Security headers
     let csp_header: SetResponseHeaderLayer<HeaderValue> = SetResponseHeaderLayer::overriding(
         header::CONTENT_SECURITY_POLICY,
-        "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://fonts.googleapis.com; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self' ws:;"
+        "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://fonts.googleapis.com; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self' ws:;"
             .parse()
             .unwrap(),
     );