From 8657600c21dd8d8ba8f0580ea51b850e959911c1 Mon Sep 17 00:00:00 2001
From: patdelphi <patdelphi@outlook.com>
Date: Fri, 22 Aug 2025 16:14:28 +0800
Subject: [PATCH] fix: Add CSP connectSrc directive for AI API calls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Added connectSrc to Content Security Policy
- Allow connections to OpenAI, 智谱AI, Azure OpenAI, Anthropic, and Google AI APIs
- Fixes CSP violation error when calling external AI services in production
- Resolves: 'Refused to connect because it violates the document's Content Security Policy'
---
 server/index.cjs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/index.cjs b/server/index.cjs
index 88e53f5..62a4cbd 100644
--- a/server/index.cjs
+++ b/server/index.cjs
@@ -36,6 +36,14 @@ app.use(helmet({
       styleSrc: ["'self'", "'unsafe-inline'"],
       scriptSrc: ["'self'"],
       imgSrc: ["'self'", "data:", "https:"],
+      connectSrc: [
+        "'self'",
+        "https://api.openai.com",
+        "https://open.bigmodel.cn",
+        "https://*.openai.azure.com",
+        "https://api.anthropic.com",
+        "https://generativelanguage.googleapis.com"
+      ],
     },
   },
   crossOriginEmbedderPolicy: false