From 00512c639841dac9ca8d1cff5c2532ce7584eb15 Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Sat, 14 Feb 2026 10:14:09 -0800
Subject: fix: relax CSP to allow unsafe-eval for legacy UI

---
 web/web.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'web/web.go')

diff --git a/web/web.go b/web/web.go
index 6c8e632..ffec8b9 100644
--- a/web/web.go
+++ b/web/web.go
@@ -401,7 +401,7 @@ func SecurityHeadersMiddleware(next http.Handler) http.Handler {
 		// style-src 'self' 'unsafe-inline' (for React/styled-components if used)
 		// img-src 'self' data: * (RSS images can be from anywhere)
 		// connect-src 'self' (API calls)
-		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: *; connect-src 'self'; frame-ancestors 'none';")
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: *; connect-src 'self'; frame-ancestors 'none';")
 		next.ServeHTTP(w, r)
 	})
 }
-- 
cgit v1.2.3