From 65b8a3fe960343d0490c4a2bd30f4fbd001a3d75 Mon Sep 17 00:00:00 2001
From: kermieisinthehouse <kermie@isinthe.house>
Date: Sat, 18 Dec 2021 00:09:39 +0000
Subject: [PATCH] Whitelist CDN used by playground (#2139)

---
 pkg/api/server.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkg/api/server.go b/pkg/api/server.go
index 307fbea40..fb07861c7 100644
--- a/pkg/api/server.go
+++ b/pkg/api/server.go
@@ -352,12 +352,15 @@ func SecurityHeadersMiddleware(next http.Handler) http.Handler {
 		// Allows websocket requests to any origin
 		connectableOrigins += " ws: wss:"
 
+		// The graphql playground pulls its frontend from a cdn
+		connectableOrigins += " https://cdn.jsdelivr.net "
+
 		if !c.IsNewSystem() && c.GetHandyKey() != "" {
 			connectableOrigins += " https://www.handyfeeling.com"
 		}
 		connectableOrigins += "; "
 
-		cspDirectives := "default-src data: 'self' 'unsafe-inline';" + connectableOrigins + "img-src data: *; script-src 'self' 'unsafe-inline'; media-src 'self' blob:; child-src 'none'; object-src 'none'; form-action 'self'"
+		cspDirectives := "default-src data: 'self' 'unsafe-inline';" + connectableOrigins + "img-src data: *; script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline'; media-src 'self' blob:; child-src 'none'; object-src 'none'; form-action 'self'"
 
 		w.Header().Set("Referrer-Policy", "same-origin")
 		w.Header().Set("X-Content-Type-Options", "nosniff")