From 29ef6bd80448e58bb9ea31ff73b51f6ddbbcf30f Mon Sep 17 00:00:00 2001
From: wandyezj <wandyezj@gmail.com>
Date: Sat, 22 Jun 2024 11:52:02 -0700
Subject: [PATCH] Fix Content Security Policy for Outlook (#60)

---
 .vscode/cspell.json                      | 1 +
 docs/features/content-security-policy.md | 6 ++++++
 src/edit.html                            | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 docs/features/content-security-policy.md

diff --git a/.vscode/cspell.json b/.vscode/cspell.json
index 246944d..fdc925c 100644
--- a/.vscode/cspell.json
+++ b/.vscode/cspell.json
@@ -9,6 +9,7 @@
     "words": [
         "Addin",
         "appsforoffice",
+        "aspnetcdn",
         "CODEOWNERS",
         "endregion",
         "eqeqeq",
diff --git a/docs/features/content-security-policy.md b/docs/features/content-security-policy.md
new file mode 100644
index 0000000..ba3d2d0
--- /dev/null
+++ b/docs/features/content-security-policy.md
@@ -0,0 +1,6 @@
+# Content Security Policy
+
+The policy applied
+
+- script-src `ajax.aspnetcdn.com`
+    - required for outlook, loaded by office.js
\ No newline at end of file
diff --git a/src/edit.html b/src/edit.html
index 65cbd81..b1112e5 100644
--- a/src/edit.html
+++ b/src/edit.html
@@ -4,7 +4,7 @@
         <meta charset="UTF-8" />
         <meta
             http-equiv="Content-Security-Policy"
-            content="default-src 'self'; script-src 'self' appsforoffice.microsoft.com; style-src 'self' 'unsafe-inline'; connect-src *; frame-src telemetryservice.firstpartyapps.oaspapps.com;"
+            content="default-src 'self'; script-src 'self' appsforoffice.microsoft.com ajax.aspnetcdn.com; style-src 'self' 'unsafe-inline'; connect-src *; frame-src telemetryservice.firstpartyapps.oaspapps.com;"
         />
         <script src="https://appsforoffice.microsoft.com/lib/1/hosted/office.js" type="text/javascript"></script>
         <link rel="stylesheet" type="text/css" href="./edit.css" />