From 43594777e03b6e3f809b97e752a4880930fb9e4d Mon Sep 17 00:00:00 2001
From: Mark <162816078+markashton480@users.noreply.github.com>
Date: Mon, 2 Mar 2026 15:34:09 +0000
Subject: [PATCH] fix(csp): skip restrictive CSP on Wagtail/Django admin paths

The SecurityHeadersMiddleware applied a strict style-src policy to all
responses, blocking inline styles that Wagtail admin relies on for
layout. Skip the custom CSP for /cms/ and /django-admin/ paths.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 apps/core/middleware.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/core/middleware.py b/apps/core/middleware.py
index 0152ed1..25fd18c 100644
--- a/apps/core/middleware.py
+++ b/apps/core/middleware.py
@@ -18,10 +18,14 @@ class SecurityHeadersMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
 
+    ADMIN_PREFIXES = ("/cms/", "/django-admin/")
+
     def __call__(self, request):
         nonce = secrets.token_urlsafe(16)
         request.csp_nonce = nonce
         response = self.get_response(request)
+        if request.path.startswith(self.ADMIN_PREFIXES):
+            return response
         response["Content-Security-Policy"] = (
             f"default-src 'self'; "
             f"script-src 'self' 'nonce-{nonce}'; "
-- 
2.49.1