From 8414305ea3648fba367683077db0c73f4850f111 Mon Sep 17 00:00:00 2001
From: Codex Agent <codex-agent@example.com>
Date: Sat, 24 Jan 2026 23:16:23 +0100
Subject: [PATCH] Fix CSP style-src-elem allowlist

---
 app/Http/Middleware/ContentSecurityPolicy.php | 14 +++++---------
 tests/Feature/SecurityHeadersTest.php         |  2 ++
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/app/Http/Middleware/ContentSecurityPolicy.php b/app/Http/Middleware/ContentSecurityPolicy.php
index 382bc3b..13cf72b 100644
--- a/app/Http/Middleware/ContentSecurityPolicy.php
+++ b/app/Http/Middleware/ContentSecurityPolicy.php
@@ -48,15 +48,6 @@ class ContentSecurityPolicy
             "'nonce-{$styleNonce}'",
             'https:',
         ];
-        $styleElemSources = [];
-        if ($allowUnsafeInlineStyles) {
-            $styleElemSources = [
-                "'self'",
-                "'unsafe-inline'",
-                'https:',
-                'data:',
-            ];
-        }
 
         $connectSources = [
             "'self'",
@@ -129,6 +120,11 @@ class ContentSecurityPolicy
         $styleSources[] = 'data:';
         $connectSources[] = 'https:';
         $fontSources[] = 'https:';
+        $styleElemSources = $styleSources;
+
+        if ($allowUnsafeInlineStyles) {
+            $styleElemSources = array_unique(array_merge($styleElemSources, ["'unsafe-inline'"]));
+        }
 
         $directives = [
             'default-src' => ["'self'"],
diff --git a/tests/Feature/SecurityHeadersTest.php b/tests/Feature/SecurityHeadersTest.php
index 3e6d240..4b8f5b4 100644
--- a/tests/Feature/SecurityHeadersTest.php
+++ b/tests/Feature/SecurityHeadersTest.php
@@ -36,6 +36,7 @@ class SecurityHeadersTest extends TestCase
             $response->assertHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
             $response->assertHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
             $response->assertHeader('Content-Security-Policy');
+            $response->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'");
             $response->assertHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
             $response->assertCookie('XSRF-TOKEN');
 
@@ -46,6 +47,7 @@ class SecurityHeadersTest extends TestCase
 
             $login->assertOk();
             $login->assertHeader('Content-Security-Policy');
+            $login->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'");
             $login->assertHeader('X-Frame-Options', 'SAMEORIGIN');
             $login->assertCookie('XSRF-TOKEN');
         } finally {