Add style-src self & Google Fonts

author: Joe Banks <[email protected]> 2024-08-19 02:22:44 +0100
committer: Joe Banks <[email protected]> 2024-08-19 02:22:44 +0100
commit: dddfe3cd486192a763e9a462ff2fb8d6a19bc765 (patch)
tree: 7502e0d388474ee6737851209a82d4a60f7bed85
parent: Allow UNPKG in CSP (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/thallium-backend/src/app.py b/thallium-backend/src/app.py
index 638cc1f..d3a29e0 100644
--- a/thallium-backend/src/app.py
+++ b/thallium-backend/src/app.py
@@ -44,7 +44,8 @@ async def add_process_time_and_security_headers(
     response.headers["Content-Security-Policy"] = (
         "default-src 'self';"
         " script-src 'unsafe-inline' https://cdn.jsdelivr.net/ https://unpkg.com/;"
-        " style-src https://cdn.jsdelivr.net/ https://fonts.googleapis.com/;"
+        " style-src 'self' https://cdn.jsdelivr.net/ https://fonts.googleapis.com/;"
+        " font-src https://fonts.gstatic.com/;"
         " img-src 'self' data:;"
     )
     response.headers["Referrer-Policy"] = "no-referrer"
author	Joe Banks <[email protected]>	2024-08-19 02:22:44 +0100
committer	Joe Banks <[email protected]>	2024-08-19 02:22:44 +0100
commit	dddfe3cd486192a763e9a462ff2fb8d6a19bc765 (patch)
tree	7502e0d388474ee6737851209a82d4a60f7bed85
parent	Allow UNPKG in CSP (diff)