From 7b755a37b116dd3da02fd54197d014918bfb6816 Mon Sep 17 00:00:00 2001 From: piraces Date: Fri, 13 Oct 2023 19:57:20 +0200 Subject: [PATCH] fix: add data: to font-src CSP --- pkg/server/server.go | 2 +- pkg/server/server_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/server/server.go b/pkg/server/server.go index ec0885d2d..874c837dd 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -179,7 +179,7 @@ func validExpiration(expiration int32) bool { func SecurityHeadersHandler(next http.Handler) http.Handler { csp := []string{ "default-src 'self'", - "font-src 'self'", + "font-src 'self' data:", "form-action 'self'", "frame-ancestors 'none'", "script-src 'self'", diff --git a/pkg/server/server_test.go b/pkg/server/server_test.go index 9dc285333..63b7e4323 100644 --- a/pkg/server/server_test.go +++ b/pkg/server/server_test.go @@ -338,7 +338,7 @@ func TestSecurityHeaders(t *testing.T) { { scheme: "http", headers: map[string]string{ - "content-security-policy": "default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'", + "content-security-policy": "default-src 'self'; font-src 'self' data:; form-action 'self'; frame-ancestors 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'", "referrer-policy": "no-referrer", "x-content-type-options": "nosniff", "x-frame-options": "DENY", @@ -349,7 +349,7 @@ func TestSecurityHeaders(t *testing.T) { { scheme: "https", headers: map[string]string{ - "content-security-policy": "default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'", + "content-security-policy": "default-src 'self'; font-src 'self' data:; form-action 'self'; frame-ancestors 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'", "referrer-policy": "no-referrer", "strict-transport-security": "max-age=31536000", "x-content-type-options": "nosniff",