From 922230c108d8211ac78082f66f132eb24fe53bc4 Mon Sep 17 00:00:00 2001
From: OpenClaw <openclawd@docfast.dev>
Date: Sat, 14 Feb 2026 22:31:18 +0000
Subject: [PATCH] fix: revert custom CSP - Helmet defaults are correct

Inline script was already extracted to swagger-init.js (BUG-004/005).
Helmet defaults allow style-src unsafe-inline and font-src https,
so Google Fonts and inline styles work without custom directives.
---
 src/index.ts | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index cbdc6e4..f1b20b1 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -23,18 +23,7 @@ const PORT = parseInt(process.env.PORT || "3100", 10);
 // Load API keys from persistent store
 loadKeys();
 
-app.use(helmet({
-  crossOriginResourcePolicy: { policy: "cross-origin" },
-  contentSecurityPolicy: {
-    directives: {
-      defaultSrc: ["'self'"],
-      scriptSrc: ["'self'", "'unsafe-inline'"],
-      styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
-      imgSrc: ["'self'", "data:"],
-      fontSrc: ["'self'", "https://fonts.gstatic.com"],
-    }
-  }
-}));
+app.use(helmet({ crossOriginResourcePolicy: { policy: "cross-origin" } }));
 
 // Differentiated CORS middleware
 app.use((req, res, next) => {