Relax CSP settings in local.py to fix Stripe Connect issues

- Convert CSP settings to lists
- Add 'unsafe-eval' and 'unsafe-inline' to script-src
- Add 'blob:' to default-src as fallback
- Update connect-src to include Stripe domains

smoothschedule/config/settings/local.py

@@ -6,37 +6,41 @@ from .multitenancy import env, INSTALLED_APPS, MIDDLEWARE
 # CONTENT SECURITY POLICY (CSP)
 # Explicitly imported/re-defined here to ensure they are active in local dev
 # =============================================================================
-CSP_DEFAULT_SRC = ("'self'",)
-CSP_SCRIPT_SRC = (
+CSP_DEFAULT_SRC = ["'self'", "blob:", "data:"]
+CSP_SCRIPT_SRC = [
     "'self'",
+    "'unsafe-inline'",
+    "'unsafe-eval'",
     "https://js.stripe.com",
     "https://connect-js.stripe.com",
     "https://www.googletagmanager.com",
     "https://www.google-analytics.com",
     "blob:",  # Required for Stripe
-)
-CSP_STYLE_SRC = (
+]
+CSP_STYLE_SRC = [
     "'self'",
     "'unsafe-inline'",  # Required for Stripe and many UI libraries
-)
-CSP_IMG_SRC = (
+    "https://fonts.googleapis.com",
+]
+CSP_IMG_SRC = [
     "'self'",
     "data:",
     "https://*.stripe.com",
     "https://www.google-analytics.com",
-)
-CSP_CONNECT_SRC = (
+]
+CSP_CONNECT_SRC = [
     "'self'",
     "https://api.stripe.com",
+    "https://connect-js.stripe.com",
     "https://www.google-analytics.com",
     "https://stats.g.doubleclick.net",
-)
-CSP_FRAME_SRC = (
+]
+CSP_FRAME_SRC = [
     "'self'",
     "https://js.stripe.com",
     "https://hooks.stripe.com",
     "https://connect-js.stripe.com",
-)
+]
 
 
 # GENERAL