From 0fb507f2472d3c776092a8331ce43c221a94f4f5 Mon Sep 17 00:00:00 2001
From: Nils-Johan Gynther <nils-johan.gynther@neoleaf.se>
Date: Sat, 23 May 2026 20:14:04 +0200
Subject: [PATCH] ci(caddy): update Content-Security-Policy for Google Fonts
 and scripts

Updated the Content-Security-Policy header to include Google Fonts and Google Analytics domains:
- Added `https://www.gstatic.com` to `script-src`, `script-src-elem`, `img-src`, and `font-src` directives
- Removed duplicate `script-src` and `style-src` entries in the policy
- Ensured all relevant directives properly include the new domains
---
 flutter/Caddyfile | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/flutter/Caddyfile b/flutter/Caddyfile
index d0cb9611..3def350e 100644
--- a/flutter/Caddyfile
+++ b/flutter/Caddyfile
@@ -2,7 +2,7 @@
     root * /usr/share/caddy
 
     header {
-        Content-Security-Policy "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https: http: ws: wss:; worker-src 'self' blob:"
+        Content-Security-Policy "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; script-src 'self' 'unsafe-inline' https://www.gstatic.com; script-src-elem 'self' 'unsafe-inline' https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://www.gstatic.com; font-src 'self' data: https://www.gstatic.com; connect-src 'self' https: http: ws: wss:; worker-src 'self' blob:;" script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https: http: ws: wss:; worker-src 'self' blob:"
     }
 
     @staticAssets {
@@ -25,12 +25,12 @@
     handle /api/* {
         reverse_proxy recipe-api:8080
     }
-
-    # SPA-routing – returnera alltid index.html för okända paths
-    handle {
-        try_files {path} /index.html
-        file_server
-    }
-
-    encode gzip
-}
+
+    # SPA-routing – returnera alltid index.html för okända paths
+    handle {
+        try_files {path} /index.html
+        file_server
+    }
+
+    encode gzip
+}