Merge pull request #21822 from kavyanekkalapu/secure_headers

Update csp to support charts download
ManageIQ · Apr 19, 2022 · 619680b · 619680b
2 parents d8c6cf0 + ce6d183
commit 619680b
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
@@ -12,13 +12,15 @@
     # X-Permitted-Cross-Domain-Policies
     config.x_xss_protection = "1; mode=block"
     # Content-Security-Policy
+    # Need google fonts in fonts_src for https://fonts.googleapis.com/css?family=IBM+Plex+Sans+Condensed%7CIBM+Plex+Sans:400,600&display=swap (For carbon-charts download)
     config.csp = {
       :report_only => false,
       :default_src => ["'self'"],
       :frame_src   => ["'self'"],
-      :font_src    => ["'self'", 'https://fonts.gstatic.com'],
+      :font_src    => ["'self'", 'https://fonts.gstatic.com', "https://fonts.googleapis.com"],
+      :img_src     => ["'self'", "data:"],
       :connect_src => ["'self'"],
-      :style_src   => ["'unsafe-inline'", "'self'"],
+      :style_src   => ["'unsafe-inline'", "'self'", "https://fonts.googleapis.com", "https://fonts.gstatic.com"],
       :script_src  => ["'unsafe-eval'", "'unsafe-inline'", "'self'"],
       :report_uri  => ["/dashboard/csp_report"]
     }