From 86cde135a9b649accb8ebaec6bf954f48f16a06e Mon Sep 17 00:00:00 2001
From: poduck <poduck@gmail.com>
Date: Mon, 1 Dec 2025 03:56:05 -0500
Subject: [PATCH] fix(csp): Allow cdn.jsdelivr.net for Swagger UI assets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added cdn.jsdelivr.net to Content Security Policy directives to allow
Swagger UI assets (JavaScript, CSS, and images) to load properly.

Updated CSP directives:
- CSP_SCRIPT_SRC: Added cdn.jsdelivr.net for swagger-ui-bundle.js
- CSP_STYLE_SRC: Added cdn.jsdelivr.net for swagger-ui.css
- CSP_IMG_SRC: Added cdn.jsdelivr.net for favicon

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 smoothschedule/config/settings/multitenancy.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/smoothschedule/config/settings/multitenancy.py b/smoothschedule/config/settings/multitenancy.py
index 65c50cd..397d528 100644
--- a/smoothschedule/config/settings/multitenancy.py
+++ b/smoothschedule/config/settings/multitenancy.py
@@ -239,17 +239,20 @@ CSP_SCRIPT_SRC = (
     "https://connect-js.stripe.com",
     "https://www.googletagmanager.com",
     "https://www.google-analytics.com",
+    "https://cdn.jsdelivr.net",  # Required for Swagger UI
     "blob:",  # Required for Stripe
 )
 CSP_STYLE_SRC = (
     "'self'",
     "'unsafe-inline'",  # Required for Stripe and many UI libraries
+    "https://cdn.jsdelivr.net",  # Required for Swagger UI
 )
 CSP_IMG_SRC = (
     "'self'",
     "data:",
     "https://*.stripe.com",
     "https://www.google-analytics.com",
+    "https://cdn.jsdelivr.net",  # Required for Swagger UI
 )
 CSP_CONNECT_SRC = (
     "'self'",