From 9387a85f02100ce41fd460f1e21a5ec77b72973a Mon Sep 17 00:00:00 2001
From: Aristotelis <5459332+glutanimate@users.noreply.github.com>
Date: Thu, 24 Apr 2025 07:28:25 +0200
Subject: [PATCH] Add add-on scripts to editor CSP (#3942)

(cherry picked from commit 79b19a17a3160e461a62aadfa557f57b36e1e05d)
---
 qt/aqt/mediasrv.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/qt/aqt/mediasrv.py b/qt/aqt/mediasrv.py
index 3acfe96c3..f086ae515 100644
--- a/qt/aqt/mediasrv.py
+++ b/qt/aqt/mediasrv.py
@@ -750,8 +750,12 @@ def legacy_page_data() -> Response:
         # have access to our internal API, and is a security risk.
         if page.context == PageContext.EDITOR:
             port = aqt.mw.mediaServer.getPort()
+            csp_paths = (
+                f"http://127.0.0.1:{port}/_anki/",
+                f"http://127.0.0.1:{port}/_addons/",
+            )
             response.headers["Content-Security-Policy"] = (
-                f"script-src http://127.0.0.1:{port}/_anki/"
+                f"script-src {' '.join(csp_paths)}"
             )
         return response
     else: