From 600196f679464858923a93a665c24a90894e33f6 Mon Sep 17 00:00:00 2001
From: Scott Pouliot <spouliot@scppowdercoating.com>
Date: Wed, 20 May 2026 23:03:08 -0400
Subject: [PATCH] Add ws://localhost:* to dev CSP connect-src for browser
 refresh

aspnetcore-browser-refresh.js uses plain ws:// (not wss://) so it was
blocked by the CSP which only listed wss://localhost:*. Both are needed
in dev: ws:// for the dotnet watch browser refresh socket, wss:// for
SignalR.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/PowderCoating.Web/Program.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PowderCoating.Web/Program.cs b/src/PowderCoating.Web/Program.cs
index acb97e9..51f2d8a 100644
--- a/src/PowderCoating.Web/Program.cs
+++ b/src/PowderCoating.Web/Program.cs
@@ -634,7 +634,7 @@ app.Use(async (context, next) =>
         : "'self' 'unsafe-inline' https://cdn.jsdelivr.net https://code.jquery.com https://js.stripe.com";
 
     var cspConnectSrc = app.Environment.IsDevelopment()
-        ? "'self' wss://localhost:* https://cdn.jsdelivr.net https://api.stripe.com"  // Allow hot reload WebSocket in dev
+        ? "'self' ws://localhost:* wss://localhost:* https://cdn.jsdelivr.net https://api.stripe.com"  // Allow hot reload WebSocket in dev (ws:// for browser-refresh, wss:// for SignalR)
         : "'self' https://cdn.jsdelivr.net https://api.stripe.com";
 
     context.Response.Headers.Append("Content-Security-Policy",