From d2ac611cc8bc122f3c897aa04428d7bac6b0b887 Mon Sep 17 00:00:00 2001
From: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
Date: Fri, 29 Sep 2023 19:51:19 +0200
Subject: [PATCH 1/2] fix: Styles not loading because of faulty CSP setting

---
 superset/config.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/superset/config.py b/superset/config.py
index f14eeaa968a79..c5fc120f10ff1 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -1429,7 +1429,7 @@ def EMAIL_HEADER_MUTATOR(  # pylint: disable=invalid-name,unused-argument
         "style-src": ["'self'", "'unsafe-inline'"],
         "script-src": ["'self'", "'strict-dynamic'"],
     },
-    "content_security_policy_nonce_in": ["script-src", "style-src"],
+    "content_security_policy_nonce_in": ["script-src"],
     "force_https": False,
 }
 # React requires `eval` to work correctly in dev mode
@@ -1444,10 +1444,14 @@ def EMAIL_HEADER_MUTATOR(  # pylint: disable=invalid-name,unused-argument
             "https://events.mapbox.com",
         ],
         "object-src": "'none'",
-        "style-src": ["'self'", "'unsafe-inline'"],
+        "style-src": [
+            "'self'",
+            "'unsafe-inline'",
+            "https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css",
+        ],
         "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
     },
-    "content_security_policy_nonce_in": ["script-src", "style-src"],
+    "content_security_policy_nonce_in": ["script-src"],
     "force_https": False,
 }
 

From fb1e9d242d69c1cec167e67b9e98d363e8aa4ee8 Mon Sep 17 00:00:00 2001
From: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
Date: Fri, 29 Sep 2023 19:58:40 +0200
Subject: [PATCH 2/2] add fix for prod as well

---
 superset/config.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/superset/config.py b/superset/config.py
index c5fc120f10ff1..20735a77ec58d 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -1426,7 +1426,11 @@ def EMAIL_HEADER_MUTATOR(  # pylint: disable=invalid-name,unused-argument
             "https://events.mapbox.com",
         ],
         "object-src": "'none'",
-        "style-src": ["'self'", "'unsafe-inline'"],
+        "style-src": [
+            "'self'",
+            "'unsafe-inline'",
+            "https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css",
+        ],
         "script-src": ["'self'", "'strict-dynamic'"],
     },
     "content_security_policy_nonce_in": ["script-src"],