Skip to content

Fix CSP errors, font preload 404, and theme-toggle.js deployment#741

Draft
Copilot wants to merge 3 commits intomainfrom
copilot/fix-content-security-policy-errors
Draft

Fix CSP errors, font preload 404, and theme-toggle.js deployment#741
Copilot wants to merge 3 commits intomainfrom
copilot/fix-content-security-policy-errors

Conversation

Copy link
Contributor

Copilot AI commented Mar 3, 2026
edited
Loading

Multiple browser console errors: CSP frame-ancestors ignored in meta tags, hardcoded Inter font preload returning 404, theme-toggle.js missing from build output (MIME type error), and d3-dsv csvParse blocked by CSP due to new Function() requiring unsafe-eval.

CSP meta tag cleanup

  • Removed frame-ancestors 'none' — only valid as HTTP header, ignored in <meta> elements
  • Applied across all 43 HTML files and both generation templates

Font preload removal

  • Removed hardcoded preload for UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa2JL7.woff2 (stale URL, 404)
  • Google Fonts CSS handles font file resolution dynamically; preconnect hints are sufficient

theme-toggle.js static asset fix

  • Created public/js/theme-toggle.js so Vite copies it to dist/js/ unchanged
  • Vite skips non-type="module" scripts during bundling — file was silently missing from build output

CSV parsing: d3-dsv → PapaParse

  • Replaced d3.csvParse() with PapaParse (already a dependency) as primary parser in coalition-dashboard.ts, risk-dashboard.ts, and shared/data-loader.ts
  • PapaParse doesn't use new Function(), eliminating the unsafe-eval CSP requirement entirely
  • d3.csvParse retained as fallback
// Before: requires unsafe-eval in CSP
return d3.csvParse(text) as CSVRow[];

// After: CSP-compatible, no unsafe-eval needed
const Papa = (globalThis as any).Papa;
if (Papa) {
  const parsed = Papa.parse(text, { header: true, skipEmptyLines: true });
  return parsed.data as CSVRow[];
}
return d3.csvParse(text) as CSVRow[];

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits March 3, 2026 00:20
@pethers
Fix CSP, font preload, and theme-toggle.js deployment issues
19f060e 
- Remove frame-ancestors directive from CSP meta tags (not supported in meta elements)
- Add 'unsafe-eval' to script-src for d3-dsv CSV parsing compatibility
- Remove stale hardcoded Inter font preload links (404 errors)
- Copy theme-toggle.js to public/js/ for Vite static asset deployment
- Update article and news index templates with same fixes

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
@pethers
Replace d3.csvParse with PapaParse to avoid unsafe-eval CSP requirement
d00f68c 
- Use PapaParse (already a project dependency) as primary CSV parser
  in coalition-dashboard, risk-dashboard, and shared data-loader
- PapaParse is CSP-compatible (no new Function() / eval usage)
- Remove unsafe-eval from CSP meta tags in all HTML files and templates
- d3.csvParse kept as fallback in risk-dashboard and data-loader

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix Content Security Policy directive issues Fix CSP errors, font preload 404, and theme-toggle.js deployment Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@pethers pethers

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pethers