functions: allow loading styles and images from the jQuery CDN

Ref jquery/infrastructure-puppet#54
Closes gh-471

themes/api.jquery.com/functions.php

@@ -3,6 +3,6 @@
 // Allow inline scripts and styles in API demos
 add_filter( 'jq_content_security_policy', function ( $policy ) {
 	$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
-	$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
+	$policy[ 'style-src' ] = "'self' 'unsafe-inline' code.jquery.com";
 	return $policy;
 } );

themes/api.jquerymobile.com/functions.php

@@ -32,6 +32,6 @@ function jq_mobile_api_version_current() {
 // Allow inline scripts and styles in API demos
 add_filter( 'jq_content_security_policy', function ( $policy ) {
 	$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
-	$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
+	$policy[ 'style-src' ] = "'self' 'unsafe-inline' code.jquery.com";
 	return $policy;
 } );

themes/api.jqueryui.com/functions.php

@@ -28,6 +28,6 @@ function jq_ui_api_version_current() {
 // Allow inline scripts and styles in API demos
 add_filter( 'jq_content_security_policy', function ( $policy ) {
 	$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
-	$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
+	$policy[ 'style-src' ] = "'self' 'unsafe-inline' code.jquery.com";
 	return $policy;
 } );

themes/jquery/functions.php

@@ -265,9 +265,9 @@ function jq_content_security_policy() {
 		'default-src' => "'self'",
 		'script-src' => "'self' 'nonce-$nonce' code.jquery.com",
 		// The nonce is here so inline scripts can be used in the theme
-		'style-src' => "'self' 'nonce-$nonce'",
+		'style-src' => "'self' 'nonce-$nonce' code.jquery.com",
 		// data: SVG images are used in typesense
-		'img-src' => "'self' data:",
+		'img-src' => "'self' data: code.jquery.com",
 		'connect-src' => "'self' typesense.jquery.com",
 		'font-src' => "'self'",
 		'object-src' => "'none'",