From 0dd1a3bea5baf403d9081f0f2cf83b61ce0245ba Mon Sep 17 00:00:00 2001
From: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
Date: Fri, 29 Sep 2023 20:54:32 +0200
Subject: [PATCH] fix: Styles not loading because of faulty CSP setting
 (#25468)

(cherry picked from commit 0cebffd59a45bb7256e1817d9792dbe2793fba72)
---
 superset/config.py | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/superset/config.py b/superset/config.py
index 6ec132d43e53e..bda7d0e5f0ad1 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -1415,10 +1415,14 @@ def EMAIL_HEADER_MUTATOR(  # pylint: disable=invalid-name,unused-argument
             "https://events.mapbox.com",
         ],
         "object-src": "'none'",
-        "style-src": ["'self'", "'unsafe-inline'"],
+        "style-src": [
+            "'self'",
+            "'unsafe-inline'",
+            "https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css",
+        ],
         "script-src": ["'self'", "'strict-dynamic'"],
     },
-    "content_security_policy_nonce_in": ["script-src", "style-src"],
+    "content_security_policy_nonce_in": ["script-src"],
     "force_https": False,
 }
 # React requires `eval` to work correctly in dev mode
@@ -1433,10 +1437,14 @@ def EMAIL_HEADER_MUTATOR(  # pylint: disable=invalid-name,unused-argument
             "https://events.mapbox.com",
         ],
         "object-src": "'none'",
-        "style-src": ["'self'", "'unsafe-inline'"],
+        "style-src": [
+            "'self'",
+            "'unsafe-inline'",
+            "https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css",
+        ],
         "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
     },
-    "content_security_policy_nonce_in": ["script-src", "style-src"],
+    "content_security_policy_nonce_in": ["script-src"],
     "force_https": False,
 }