From f51f0a0c93b60dfec7ce02be0ecd2587fc882fe0 Mon Sep 17 00:00:00 2001
From: Kalista Payne <kalista@habitica.com>
Date: Fri, 12 Dec 2025 16:52:14 -0600
Subject: [PATCH] fix(CSP): move trusted list to default-src

---
 website/server/middlewares/index.js | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/website/server/middlewares/index.js b/website/server/middlewares/index.js
index d4adb48849..28b9259208 100644
--- a/website/server/middlewares/index.js
+++ b/website/server/middlewares/index.js
@@ -69,19 +69,17 @@ export default function attachMiddlewares (app, server) {
     contentSecurityPolicy: {
       directives: {
         defaultSrc: [
-          '*.habitica.com',
           '*.amazonaws.com',
-        ],
-        imgSrc: null,
-        scriptSrc: [
-          '\'unsafe-eval\'',
           '*.habitica.com',
-          '*.amazonaws.com',
           'cloudfront.loggly.com',
           'js.stripe.com',
           'm.stripe.network',
           'static-na.payments-amazon.com',
         ],
+        imgSrc: '*',
+        scriptSrc: [
+          '\'unsafe-eval\'',
+        ],
         upgradeInsecureRequests: IS_PROD ? [] : null,
       },
     },