From a21321bb3cc061a8d50aeb36fbf08f47eefa0027 Mon Sep 17 00:00:00 2001
From: Codex Agent <codex-agent@example.com>
Date: Sat, 24 Jan 2026 21:16:31 +0100
Subject: [PATCH] Allow inline style elements for event-admin CSP

---
 app/Http/Middleware/ContentSecurityPolicy.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/Http/Middleware/ContentSecurityPolicy.php b/app/Http/Middleware/ContentSecurityPolicy.php
index 787d2ad..382bc3b 100644
--- a/app/Http/Middleware/ContentSecurityPolicy.php
+++ b/app/Http/Middleware/ContentSecurityPolicy.php
@@ -48,8 +48,14 @@ class ContentSecurityPolicy
             "'nonce-{$styleNonce}'",
             'https:',
         ];
+        $styleElemSources = [];
         if ($allowUnsafeInlineStyles) {
-            $styleSources[] = "'unsafe-inline'";
+            $styleElemSources = [
+                "'self'",
+                "'unsafe-inline'",
+                'https:',
+                'data:',
+            ];
         }
 
         $connectSources = [
@@ -128,6 +134,7 @@ class ContentSecurityPolicy
             'default-src' => ["'self'"],
             'script-src' => array_unique($scriptSources),
             'style-src' => array_unique($styleSources),
+            'style-src-elem' => $styleElemSources,
             'style-src-attr' => ["'unsafe-inline'"],
             'img-src' => array_unique($imgSources),
             'font-src' => array_unique($fontSources),