From 0c39b801fe7c53b80ec1a55dcb963c7e9db9603b Mon Sep 17 00:00:00 2001
From: BatLeDev <baptiste.guerny@koumoul.com>
Date: Mon, 30 Mar 2026 11:22:05 +0200
Subject: [PATCH] fix: add connect-src CSP directive for vjsf remote fetches

---
 api/src/app.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/api/src/app.ts b/api/src/app.ts
index c584614..4f11bdd 100644
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -35,6 +35,8 @@ if (process.env.NODE_ENV !== 'test') {
   const cspDirectives = { ...defaultNonceCSPDirectives }
   // necessary to use vjsf without pre-compilation
   cspDirectives['script-src'] = "'unsafe-eval' " + defaultNonceCSPDirectives['script-src']
+  // necessary for vjsf to fetch remote services
+  cspDirectives['connect-src'] = "'self' https:"
   app.use(await createSpaMiddleware(resolve(import.meta.dirname, '../../ui/dist'), uiConfig, {
     csp: {
       nonce: true,