From 6dac4ce52ad3044c6ff546d71b8e58375154cdb5 Mon Sep 17 00:00:00 2001
From: lockbitchat <lockbitchat@tutanota.com>
Date: Tue, 16 Jun 2026 01:09:02 -0400
Subject: [PATCH] fix(csp): allow stun:/turn: schemes in connect-src

Chrome enforces CSP connect-src for WebRTC ICE servers. Without the
stun/stuns/turn/turns schemes the browser silently dropped STUN/TURN
candidates (only host candidates remained), breaking custom-server
connectivity test results and real cross-network ICE.
---
 index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.html b/index.html
index d9bb60d..24d1f2a 100644
--- a/index.html
+++ b/index.html
@@ -8,7 +8,7 @@
            script-src 'self';
            style-src 'self' 'unsafe-inline';
            font-src 'self' https://fonts.gstatic.com data:;
-           connect-src 'self' https: wss: ws:;
+           connect-src 'self' https: wss: ws: stun: stuns: turn: turns:;
            img-src 'self' data: https:;
            media-src 'none';
            object-src 'none';