From c086fa4260bdabbcd43671f979c219138772568c Mon Sep 17 00:00:00 2001
From: Tomas Kracmar <tomas.kracmar@cqre.net>
Date: Mon, 27 Apr 2026 10:39:33 +0200
Subject: [PATCH] hotfix(v1.7.11): add unsafe-eval to CSP for Alpine.js

---
 VERSION         | 2 +-
 backend/main.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/VERSION b/VERSION
index a412349..8f8b3f7 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.7.10
+1.7.11
diff --git a/backend/main.py b/backend/main.py
index 9ff688b..065e7de 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -92,7 +92,7 @@ async def cache_control_middleware(request: Request, call_next):
     if request.url.path.startswith("/api/") or request.url.path in ("/", "/index.html"):
         response.headers["Content-Security-Policy"] = (
             "default-src 'self'; "
-            "script-src 'self' 'unsafe-inline' cdn.jsdelivr.net alcdn.msauth.net; "
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net alcdn.msauth.net; "
             "style-src 'self' 'unsafe-inline'; "
             "connect-src 'self' https://login.microsoftonline.com; "
             "frame-src 'self' https://login.microsoftonline.com; "