Modifies some content security policy settings

src/HomeAutio.Mqtt.GoogleHome/Views/Shared/_Layout.cshtml

@@ -22,9 +22,9 @@
         @RenderBody()
     </div>
 
-    <script src="https://code.jquery.com/jquery-3.6.3.min.js" crossorigin="anonymous"></script>
+    <script src="~/lib/jquery/jquery-3.6.3.min.js"></script>
     <script src="~/lib/styleswitcher/styleswitcher.js"></script>
-    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/js/bootstrap.bundle.min.js" crossorigin="anonymous"></script>
+    <script src="~/lib/bootstrap/bootstrap-5.2.3.bundle.min.js"></script>
 
     @RenderSection("scripts", required: false)
 </body>

src/IdentityServerHost.Quickstart.UI/SecurityHeadersAttribute.cs

@@ -27,7 +27,10 @@ public override void OnResultExecuting(ResultExecutingContext context)
                 }
 
                 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-                var csp = "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';";
+                //var csp = "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';";
+
+                // The above is a bunch of bullshit, open it up
+                var csp = "default-src 'self'; img-src 'self' data:; style-src 'self' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';";
                 // also consider adding upgrade-insecure-requests once you have HTTPS in place for production
                 //csp += "upgrade-insecure-requests;";
                 // also an example if you need client images to be displayed from twitter