fix: CSP and script-tag for Matomo analytics and AdSense

script-tag only destructured :src and :nonce, silently dropping extra
attributes like :async and :crossorigin needed by the AdSense tag.
Changed to pass through all attributes.

CSP connect-src blocked Matomo tracker requests to t.dungeonmastersvault.com
and frame-src (defaulting to 'self') blocked Google ad iframes. Added the
required domains to connect-src and frame-src.

https://claude.ai/code/session_011qVDwDfCBzuUQSLFff1V66

Author: claude

src/clj/orcpub/csp.clj

@@ -30,6 +30,8 @@
    The resulting CSP:
      - Uses 'strict-dynamic' for script-src (only nonced scripts execute)
      - Allows Google Fonts for styles and fonts
+     - Allows Matomo analytics (connect-src, img-src)
+     - Allows Google AdSense iframes (frame-src)
      - Restricts all other sources to 'self'
      - Blocks object embeds, restricts base-uri, frame-ancestors, and form-action"
   [nonce & {:keys [dev-mode?]}]
@@ -38,7 +40,9 @@
        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "
        "font-src 'self' https://fonts.gstatic.com; "
        "img-src 'self' data: https:; "
-       "connect-src 'self'" (when dev-mode? " ws://localhost:3449") "; "
+       "connect-src 'self' https://t.dungeonmastersvault.com https://pagead2.googlesyndication.com"
+       (when dev-mode? " ws://localhost:3449") "; "
+       "frame-src 'self' https://googleads.g.doubleclick.net https://tpc.googlesyndication.com; "
        "object-src 'none'; "
        "base-uri 'self'; "
        "frame-ancestors 'self'; "

src/clj/orcpub/index.clj

@@ -21,10 +21,10 @@
 
 (defn script-tag
   "Generate a script tag with optional nonce for CSP strict mode.
-   For external scripts, pass :src. For inline scripts, pass content as body."
-  [{:keys [src nonce]} & body]
-  (let [attrs (cond-> {}
-                src (assoc :src src)
+   For external scripts, pass :src. For inline scripts, pass content as body.
+   Extra attributes (e.g. :async, :crossorigin) are passed through to the tag."
+  [{:keys [nonce] :as opts} & body]
+  (let [attrs (cond-> (dissoc opts :nonce)
                 nonce (assoc :nonce nonce))]
     (if (seq body)
       (into [:script attrs] body)

test/clj/orcpub/csp_test.clj

@@ -43,6 +43,18 @@
       (is (str/includes? header "form-action 'self'")
           "Should restrict form-action")))
 
+  (testing "Header allows Matomo analytics"
+    (let [header (csp/build-csp-header "test-nonce")]
+      (is (str/includes? header "https://t.dungeonmastersvault.com")
+          "connect-src should allow Matomo tracker")))
+
+  (testing "Header allows AdSense iframes"
+    (let [header (csp/build-csp-header "test-nonce")]
+      (is (str/includes? header "https://googleads.g.doubleclick.net")
+          "frame-src should allow Google ad iframes")
+      (is (str/includes? header "https://tpc.googlesyndication.com")
+          "frame-src should allow Google syndication iframes")))
+
   (testing "Production mode does not include WebSocket"
     (let [header (csp/build-csp-header "test")]
       (is (not (str/includes? header "ws://"))