Fix CSP policy to allow Bootstrap CDN, data URIs for fonts, and WebSocket connections

Co-authored-by: dwarwick <15970276+dwarwick@users.noreply.github.com>

Author: Copilot

JwtIdentity/Middleware/ContentSecurityPolicyMiddleware.cs

@@ -14,14 +14,14 @@ public ContentSecurityPolicyMiddleware(RequestDelegate next)
 
         public async Task InvokeAsync(HttpContext context)
         {
-            // Define CSP policy that allows reCAPTCHA to function
+            // Define CSP policy that allows reCAPTCHA and other application resources to function
             var cspPolicy = "default-src 'self'; " +
-                           "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com https://www.googletagmanager.com https://pagead2.googlesyndication.com https://connect.facebook.net; " +
+                           "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com https://www.googletagmanager.com https://pagead2.googlesyndication.com https://connect.facebook.net https://cdn.jsdelivr.net; " +
                            "frame-src 'self' https://www.google.com https://www.facebook.com; " +
                            "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; " +
-                           "font-src 'self' https://fonts.gstatic.com; " +
+                           "font-src 'self' data: https://fonts.gstatic.com; " +
                            "img-src 'self' data: https: blob:; " +
-                           "connect-src 'self' https://www.google.com https://www.gstatic.com; " +
+                           "connect-src 'self' wss://localhost:* https://www.google.com https://www.gstatic.com https://cdn.jsdelivr.net; " +
                            "worker-src 'self' blob: https://www.google.com https://www.gstatic.com;";
 
             // Add CSP header