From a8c7e06330911aeed80d56f1aea1872de011b8af Mon Sep 17 00:00:00 2001 From: Avinal Kumar Date: Tue, 16 Jun 2026 13:50:41 +0530 Subject: [PATCH] Allow CDN scripts/styles for /talks/* in CSP header Reveal.js, Mermaid, and highlight.js load from cdnjs.cloudflare.com and cdn.jsdelivr.net. Add a path-specific CSP override for /talks/* so these CDN resources are not blocked. --- netlify.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/netlify.toml b/netlify.toml index 8e0152b..7a53787 100644 --- a/netlify.toml +++ b/netlify.toml @@ -14,3 +14,8 @@ Permissions-Policy = "camera=(), microphone=(), geolocation=()" X-XSS-Protection = "1; mode=block" Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' https://cal.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.listenbrainz.org https://coverartarchive.org https://itunes.apple.com https://api.github.com https://wakatime.com; frame-src https://cal.com;" + +[[headers]] + for = "/talks/*" + [headers.values] + Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://fonts.googleapis.com; img-src 'self' https: data:; font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com; connect-src 'self';"