From 9c0c5b6e8374e49883bf7e3fc287b1e5e33fc461 Mon Sep 17 00:00:00 2001 From: summersamara Date: Sat, 16 Dec 2023 00:11:11 +0100 Subject: [PATCH] Fix fullcalendar CSP errors - whitelist the 'data:' protocol for fonts - Add CSP hash directive to allow fullcalendar inline style --- lib/web/plugs/http_security_plug.ex | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/web/plugs/http_security_plug.ex b/lib/web/plugs/http_security_plug.ex index 862803b49..eeb2f3702 100644 --- a/lib/web/plugs/http_security_plug.ex +++ b/lib/web/plugs/http_security_plug.ex @@ -77,7 +77,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do # unsafe-eval is because of JS issues with regenerator-runtime @script_src "script-src 'self' 'unsafe-eval' " @style_src "style-src 'self' " - @font_src "font-src 'self' " + @font_src "font-src 'self' data: " @spec csp_string(Keyword.t()) :: String.t() defp csp_string(options) do @@ -117,6 +117,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do style_src = [style_src] ++ [get_csp_config(:style_src, options)] + style_src = [style_src] ++ ["'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"] + font_src = [@font_src] ++ [get_csp_config(:font_src, options)] frame_src = build_csp_field(:frame_src, options)