From b9cd693421778ac8ae70ee3cfff3affa166f374d Mon Sep 17 00:00:00 2001
From: Scott Pouliot <spouliot@scppowdercoating.com>
Date: Sat, 23 May 2026 09:59:14 -0400
Subject: [PATCH] Fix QR label modal: allow self in frame-src CSP, fix
 Bootstrap API call

frame-src was missing 'self' so the Label iframe was blocked by CSP.
bootstrap.Modal.getOrCreate does not exist; correct method is getOrCreateInstance.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/PowderCoating.Web/Program.cs                   | 2 +-
 src/PowderCoating.Web/Views/Inventory/Index.cshtml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PowderCoating.Web/Program.cs b/src/PowderCoating.Web/Program.cs
index 8ff44c1..1d38d5e 100644
--- a/src/PowderCoating.Web/Program.cs
+++ b/src/PowderCoating.Web/Program.cs
@@ -699,7 +699,7 @@ app.Use(async (context, next) =>
         "font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; " +
         "img-src 'self' data: https:; " +
         $"connect-src {cspConnectSrc}; " +
-        "frame-src https://js.stripe.com https://hooks.stripe.com");
+        "frame-src 'self' https://js.stripe.com https://hooks.stripe.com");
 
     // Referrer Policy - control referrer information
     context.Response.Headers.Append("Referrer-Policy", "strict-origin-when-cross-origin");
diff --git a/src/PowderCoating.Web/Views/Inventory/Index.cshtml b/src/PowderCoating.Web/Views/Inventory/Index.cshtml
index 3f6545c..bed3762 100644
--- a/src/PowderCoating.Web/Views/Inventory/Index.cshtml
+++ b/src/PowderCoating.Web/Views/Inventory/Index.cshtml
@@ -519,7 +519,7 @@
             e.stopPropagation();
             const frame = document.getElementById('qrLabelFrame');
             frame.src = '@Url.Action("Label", "Inventory")/' + itemId + '?embed=true';
-            bootstrap.Modal.getOrCreate(document.getElementById('qrLabelModal')).show();
+            bootstrap.Modal.getOrCreateInstance(document.getElementById('qrLabelModal')).show();
         }
 
         // Make table rows clickable