CSP fixes

ScriptSmith · ScriptSmith · commit fe8c08faece8 · 2026-02-23T08:30:33.000+10:00
diff --git a/docs/content/docs/configuration/server.mdx b/docs/content/docs/configuration/server.mdx
@@ -143,20 +143,22 @@ permissions_policy = "geolocation=(), microphone=()"
 Hadrian ships a default CSP tailored for the web UI's frontend tools (Python, JavaScript, SQL, and chart execution via WASM):
 
 ```
-default-src 'self'; script-src 'self' blob:; style-src 'self' 'unsafe-inline';
-img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self';
-worker-src 'self' blob:; frame-src 'self' blob:; object-src 'none'; base-uri 'self'
+default-src 'self'; script-src 'self' blob: 'unsafe-eval' https://cdn.jsdelivr.net;
+style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:;
+connect-src 'self' https://cdn.jsdelivr.net; worker-src 'self' blob:;
+frame-src 'self' blob:; object-src 'none'; base-uri 'self'
 ```
 
-| Directive    | Value                    | Reason                                                           |
-| ------------ | ------------------------ | ---------------------------------------------------------------- |
-| `script-src` | `'self' blob:`           | WASM workers (Pyodide, QuickJS, DuckDB) are loaded as blob URLs. |
-| `style-src`  | `'self' 'unsafe-inline'` | Tailwind CSS injects styles dynamically.                         |
-| `worker-src` | `'self' blob:`           | Web Workers run sandboxed code execution.                        |
-| `frame-src`  | `'self' blob:`           | HTML artifact previews render in sandboxed iframes.              |
-| `img-src`    | `'self' data: blob:`     | Generated charts and inline images use data/blob URIs.           |
-| `object-src` | `'none'`                 | Blocks plugin-based content (Flash, Java applets).               |
-| `base-uri`   | `'self'`                 | Prevents `<base>` tag injection attacks.                         |
+| Directive     | Value                                                 | Reason                                                                                                   |
+| ------------- | ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
+| `script-src`  | `'self' blob: 'unsafe-eval' https://cdn.jsdelivr.net` | WASM workers as blob URLs; `unsafe-eval` for Pyodide Python bytecode execution; CDN for Pyodide modules. |
+| `style-src`   | `'self' 'unsafe-inline'`                              | Tailwind CSS injects styles dynamically.                                                                 |
+| `worker-src`  | `'self' blob:`                                        | Web Workers run sandboxed code execution.                                                                |
+| `frame-src`   | `'self' blob:`                                        | HTML artifact previews render in sandboxed iframes.                                                      |
+| `img-src`     | `'self' data: blob:`                                  | Generated charts and inline images use data/blob URIs.                                                   |
+| `connect-src` | `'self' https://cdn.jsdelivr.net`                     | Pyodide fetches WASM binaries and packages from CDN.                                                     |
+| `object-src`  | `'none'`                                              | Blocks plugin-based content (Flash, Java applets).                                                       |
+| `base-uri`    | `'self'`                                              | Prevents `<base>` tag injection attacks.                                                                 |
 
 Override this by setting `content_security_policy` explicitly. Set to an empty string to disable the CSP header entirely.
 
diff --git a/src/config/server.rs b/src/config/server.rs
@@ -460,15 +460,18 @@ fn default_frame_options() -> Option<String> {
 /// Default Content-Security-Policy for the web UI.
 ///
 /// Directives:
-/// - `script-src blob:` — WASM workers (Pyodide, QuickJS, DuckDB) loaded as blob URLs
+/// - `script-src blob: 'unsafe-eval' https://cdn.jsdelivr.net` — WASM workers loaded as blob
+///   URLs; `unsafe-eval` required by Pyodide for Python bytecode execution; CDN for Pyodide modules
 /// - `style-src 'unsafe-inline'` — Tailwind CSS dynamic styling
 /// - `worker-src blob:` — Web Worker sandboxed execution
 /// - `frame-src blob:` — HTML artifact preview iframes
 /// - `img-src data: blob:` — Generated charts/images and inline assets
+/// - `media-src blob:` — Audio playback from generated TTS blob URLs
+/// - `connect-src https://cdn.jsdelivr.net` — Pyodide fetches WASM/packages from CDN
 /// - `object-src 'none'` — Blocks plugins (Flash, Java applets)
 /// - `base-uri 'self'` — Prevents `<base>` tag injection
 fn default_csp() -> Option<String> {
-    Some("default-src 'self'; script-src 'self' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; worker-src 'self' blob:; frame-src 'self' blob:; object-src 'none'; base-uri 'self'".to_string())
+    Some("default-src 'self'; script-src 'self' blob: 'unsafe-eval' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; media-src 'self' blob:; connect-src 'self' https://cdn.jsdelivr.net; worker-src 'self' blob:; frame-src 'self' blob:; object-src 'none'; base-uri 'self'".to_string())
 }
 
 fn default_xss_protection() -> Option<String> {
