Skip to content

Commit d123ade

Browse files
vincentkocvincentkoc
authored
fix(gateway): allow required Google Fonts origins in Control UI CSP (#29279)
* Gateway: allow Google Fonts stylesheet and font CDN in Control UI CSP * Tests: assert Control UI CSP allows required Google Fonts origins * Gateway: fix CSP comment for Google Fonts allowlist intent * Tests: split dedicated Google Fonts CSP assertion
1 parent f810932 commit d123ade

File tree

2 files changed

+11
-3
lines changed

2 files changed

+11
-3
lines changed

src/gateway/control-ui-csp.test.ts

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,12 @@ describe("buildControlUiCspHeader", () => {
77
expect(csp).toContain("frame-ancestors 'none'");
88
expect(csp).toContain("script-src 'self'");
99
expect(csp).not.toContain("script-src 'self' 'unsafe-inline'");
10-
expect(csp).toContain("style-src 'self' 'unsafe-inline'");
10+
expect(csp).toContain("style-src 'self' 'unsafe-inline' https://fonts.googleapis.com");
11+
});
12+
13+
it("allows Google Fonts for style and font loading", () => {
14+
const csp = buildControlUiCspHeader();
15+
expect(csp).toContain("https://fonts.googleapis.com");
16+
expect(csp).toContain("font-src 'self' https://fonts.gstatic.com");
1117
});
1218
});

src/gateway/control-ui-csp.ts

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,17 @@
11
export function buildControlUiCspHeader(): string {
22
// Control UI: block framing, block inline scripts, keep styles permissive
33
// (UI uses a lot of inline style attributes in templates).
4+
// Keep Google Fonts origins explicit in CSP for deployments that load
5+
// external Google Fonts stylesheets/font files.
46
return [
57
"default-src 'self'",
68
"base-uri 'none'",
79
"object-src 'none'",
810
"frame-ancestors 'none'",
911
"script-src 'self'",
10-
"style-src 'self' 'unsafe-inline'",
12+
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
1113
"img-src 'self' data: https:",
12-
"font-src 'self'",
14+
"font-src 'self' https://fonts.gstatic.com",
1315
"connect-src 'self' ws: wss:",
1416
].join("; ");
1517
}

0 commit comments

Comments
 (0)