From 5c972eafb88ce811f585bd58c953731a2702fba7 Mon Sep 17 00:00:00 2001
From: Sky Rose <srose@mbta.com>
Date: Fri, 10 Jan 2025 12:57:57 -0500
Subject: [PATCH] fix csp warning, typo and allow react developer tools (#218)

---
 lib/orbit_web/router.ex | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/orbit_web/router.ex b/lib/orbit_web/router.ex
index 011ce05..44186d6 100644
--- a/lib/orbit_web/router.ex
+++ b/lib/orbit_web/router.ex
@@ -15,13 +15,15 @@ defmodule OrbitWeb.Router do
 
     plug :put_secure_browser_headers, %{
       # much of this is necessary for Appcues: https://docs.appcues.com/user-experiences-faq/faq-content-security-policies
+      # script-src-elem 'unsafe-inline' is for react developer tools
       "content-security-policy" => "\
         connect-src 'self' *.sentry.io *.fullstory.com https://*.appcues.com https://*.appcues.net wss://*.appcues.net wss://*.appcues.com;\
         default-src 'self';\
-        font-src self' https://fonts.gstatic.com;\
+        font-src 'self' https://fonts.gstatic.com;\
         frame-src 'self' https://*.appcues.com;\
         img-src 'self' https://*.appcues.com https://*.appcues.net res.cloudinary.com cdn.jsdelivr.net;\
         script-src 'self' *.fullstory.com https://*.appcues.com https://*.appcues.net;\
+        script-src-elem 'self' 'unsafe-inline';\
         style-src 'self' https://*.appcues.com https://*.appcues.net https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline';\
         "
     }