fix: add cdn.jsdelivr.net to CSP connect-src to allow xterm source map fetches

Closes #1850

Co-authored-by: Chase Florell <ChaseFlorell@users.noreply.github.com>

api/helpers.py

@@ -46,7 +46,7 @@ def _security_headers(handler):
         "default-src 'self' https://*.cloudflareaccess.com; "
         "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://static.cloudflareinsights.com; "
         "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com; "
-        "img-src 'self' data: https: blob:; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com; connect-src 'self'; "
+        "img-src 'self' data: https: blob:; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com; connect-src 'self' https://cdn.jsdelivr.net; "
         "manifest-src 'self' https://*.cloudflareaccess.com; "
         "base-uri 'self'; form-action 'self'"
     )

tests/test_issue1850_csp_connect_src_jsdelivr.py

@@ -0,0 +1,36 @@
+"""Regression test for #1850 — CSP connect-src must allow cdn.jsdelivr.net.
+
+xterm.js, xterm-addon-fit, and xterm-addon-web-links are loaded from
+cdn.jsdelivr.net via <script> tags. Their bundled source maps also live on
+jsDelivr and are fetched via connect (not script load), so connect-src must
+include cdn.jsdelivr.net or browsers block the fetch and emit CSP violations.
+"""
+import re
+
+
+def _helpers_src() -> str:
+    with open("api/helpers.py") as f:
+        return f.read()
+
+
+class TestCSPConnectSrcJsdelivr:
+    """connect-src must allow cdn.jsdelivr.net for xterm source map fetches."""
+
+    def test_connect_src_includes_jsdelivr(self):
+        """connect-src must include https://cdn.jsdelivr.net."""
+        src = _helpers_src()
+        connect_match = re.search(r"connect-src\s+([^;]+);", src)
+        assert connect_match, "connect-src directive must exist in CSP"
+        assert "https://cdn.jsdelivr.net" in connect_match.group(1), (
+            "connect-src must allow cdn.jsdelivr.net — xterm.js source maps are "
+            "fetched from that origin and the CSP blocks them without this entry"
+        )
+
+    def test_connect_src_still_includes_self(self):
+        """connect-src must still include 'self' alongside the new jsdelivr entry."""
+        src = _helpers_src()
+        connect_match = re.search(r"connect-src\s+([^;]+);", src)
+        assert connect_match, "connect-src directive must exist in CSP"
+        assert "'self'" in connect_match.group(1), (
+            "connect-src must retain 'self' after adding cdn.jsdelivr.net"
+        )