Should resourceDomain be in script-src and style-src?

[connor4312]

Raised in microsoft/vscode#286690, currently the spec says script-src and style-src should only allow safe 'unsafe-inline' https://github.com/modelcontextprotocol/ext-apps/blob/main/specification/draft/apps.mdx#4-content-security-policy-enforcement

Is this intentional or should resourceDomain be added to those too?

[idosal]

Thanks @connor4312 ! Great catch, that's a bug in that part of the spec.
The correct part is on the resourceDomains docs:

Maps to CSP `img-src`, `script-src`, `style-src`, `font-src`, `media-src` directives

I'll issue a fix soon.

[connor4312]

Thanks! I'll go ahead and merge their PR then 🙂