From aaaa68ea7fbd85611f02b18f1dd3e633f35c8101 Mon Sep 17 00:00:00 2001
From: shaw <shaw-wei@foxmail.com>
Date: Tue, 6 Jan 2026 09:15:03 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20CSP=20=E7=AD=96?=
 =?UTF-8?q?=E7=95=A5=E9=98=BB=E6=AD=A2=20Cloudflare=20Turnstile=20?=
 =?UTF-8?q?=E5=8A=A0=E8=BD=BD=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

在 script-src 和 frame-src 中添加 challenges.cloudflare.com 域名，
允许 Turnstile 脚本加载和 iframe 渲染。
---
 backend/internal/config/config.go | 2 +-
 deploy/config.example.yaml        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/internal/config/config.go b/backend/internal/config/config.go
index 6886d84e..0490ed06 100644
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -17,7 +17,7 @@ const (
 	RunModeSimple   = "simple"
 )
 
-const DefaultCSPPolicy = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+const DefaultCSPPolicy = "default-src 'self'; script-src 'self' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-src https://challenges.cloudflare.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
 
 // 连接池隔离策略常量
 // 用于控制上游 HTTP 连接池的隔离粒度，影响连接复用和资源消耗
diff --git a/deploy/config.example.yaml b/deploy/config.example.yaml
index f43c9c19..84f5f578 100644
--- a/deploy/config.example.yaml
+++ b/deploy/config.example.yaml
@@ -97,7 +97,7 @@ security:
     enabled: true
     # Default CSP policy (override if you host assets on other domains)
     # 默认 CSP 策略（如果静态资源托管在其他域名，请自行覆盖）
-    policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+    policy: "default-src 'self'; script-src 'self' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-src https://challenges.cloudflare.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
   proxy_probe:
     # Allow skipping TLS verification for proxy probe (debug only)
     # 允许代理探测时跳过 TLS 证书验证（仅用于调试）