From ef03c1433d05a4aa7600d133262ea30c45f303a3 Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Fri, 11 Apr 2025 22:58:51 +0200
Subject: [PATCH] Complete CSP authorized hosts to restore QR scan & background
 images - Fixes #472

---
 app/Http/Middleware/AddContentSecurityPolicyHeaders.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
index 2c8f2e26..b41cbf51 100644
--- a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
+++ b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
@@ -21,6 +21,7 @@ class AddContentSecurityPolicyHeaders
             // We build a space separated list of addresses to be allowed.
             Vite::useCspNonce();
             $authorizedAddresses[] = config('app.url') . ':*';
+            $authorizedAddresses[] = 'https://fastly.jsdelivr.net:*';
 
             // We add custom asset url if defined
             if (config('app.asset_url') && config('app.asset_url') != config('app.url')) {
@@ -42,7 +43,7 @@ class AddContentSecurityPolicyHeaders
             $directives['script-src']  = "script-src 'nonce-" . Vite::cspNonce() . "' 'strict-dynamic'";
             $directives['style-src']   = "style-src 'self' " . $authorizedAddresses . " 'unsafe-inline'";
             $directives['connect-src'] = "connect-src 'self' " . $authorizedAddresses;
-            $directives['img-src']     = "img-src 'self' " . $authorizedAddresses;
+            $directives['img-src']     = "img-src 'self' data: " . $authorizedAddresses;
             $directives['object-src']  = "object-src 'none'";
             $directives['default-src'] = "default-src 'self'";