fix: allow Monaco editor CDN in CSP for trace page diffs (#2611)

## Summary - The Monaco diff editor on `/trace/[id]` pages was not loading because `@monaco-editor/react` fetches JS, CSS, and font assets from `cdn.jsdelivr.net` by default - The Content Security Policy in `next.config.mjs` blocked those requests (missing from `script-src`, `style-src`, `font-src`) - Added `https://cdn.jsdelivr.net` to the three relevant CSP directives ## Test plan - [ ] Open a trace page (e.g. `/trace/c0668bd3-9321-4082-9c43-3e41bdd9b1c5`) and verify the code diff renders - [ ] Check browser console for no remaining CSP violations - [ ] Verify no regressions on other pages 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Sarthak Agarwal <sarthak.saga@gmail.com>
2026-05-04 18:25:18 +00:00 · 2026-04-21 15:37:40 -07:00 · 2026-04-21 15:37:40 -07:00 · a3f0c07bb6
commit a3f0c07bb6
parent f9c6376f14
1 changed files with 3 additions and 3 deletions
--- a/js/cf-webapp/next.config.mjs
+++ b/js/cf-webapp/next.config.mjs
@ -27,10 +27,10 @@ const nextConfig = {
            key: "Content-Security-Policy",
            value: [
              "default-src 'self'",
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://widget.intercom.io https://js.intercomcdn.com https://client.crisp.chat https://settings.crisp.chat",
-              "style-src 'self' 'unsafe-inline' https://client.crisp.chat",
+              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://widget.intercom.io https://js.intercomcdn.com https://client.crisp.chat https://settings.crisp.chat",
+              "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://client.crisp.chat",
              "img-src 'self' data: blob: https://avatars.githubusercontent.com https://github.com https://*.intercomcdn.com https://*.crisp.chat https://image.crisp.chat",
-              "font-src 'self' data: https://client.crisp.chat",
+              "font-src 'self' data: https://cdn.jsdelivr.net https://client.crisp.chat",
              "connect-src 'self' https://*.intercom.io https://api-iam.intercom.io wss://*.intercom.io https://*.crisp.chat wss://*.crisp.chat https://*.sentry.io https://*.ingest.us.sentry.io https://us.i.posthog.com https://us.posthog.com",
              "frame-src 'self' https://intercom-sheets.com https://game.crisp.chat",
              "media-src 'self' https://*.intercomcdn.com",