Fix production site issue by removing dynamic CSP function

docker/ploughshares/app.py

@@ -132,17 +132,11 @@ additional_headers = {
     'Cross-Origin-Opener-Policy': 'same-origin'
 }
 
-# Custom function to determine if CSP should be applied
-def csp_for_request():
-    # Disable CSP for API routes
-    if request.path.startswith('/api/'):
-        return None
-    return ui_csp
-
-# Initialize Talisman with a dynamic CSP function
+# Initialize Talisman with the static CSP configuration
+# We'll handle API routes separately in the after_request handler
 talisman = Talisman(
     app,
-    content_security_policy=csp_for_request,
+    content_security_policy=ui_csp,
     content_security_policy_nonce_in=['script-src'],
     feature_policy=permissions_policy,
     force_https=force_https,
@@ -157,7 +151,7 @@ talisman = Talisman(
     session_cookie_http_only=True
 )
 
-# Add CORS headers for API routes
+# Add CORS headers for API routes and handle CSP
 @app.after_request
 def add_api_headers(response):
     if request.path.startswith('/api/'):
@@ -167,7 +161,7 @@ def add_api_headers(response):
         response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
         response.headers['Cross-Origin-Resource-Policy'] = 'cross-origin'
         
-        # Ensure CSP is completely removed for API routes
+        # Remove CSP for API routes to ensure compatibility with clients
         if 'Content-Security-Policy' in response.headers:
             del response.headers['Content-Security-Policy']
     else: