From 4a0d0da59e4c8d5183dcd1307a676e729a8a3f86 Mon Sep 17 00:00:00 2001 From: "Michael J. Radwin" Date: Tue, 10 Sep 2024 19:27:22 -0700 Subject: [PATCH] Allow data: URLs for CSP font-src --- package.json | 8 ++++---- src/app-www.js | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 75d9827..e6b347c 100644 --- a/package.json +++ b/package.json @@ -55,18 +55,18 @@ "@hebcal/locales": "^5.0.1", "@hebcal/rest-api": "^5.1.2", "@hebcal/triennial": "^5.1.2", - "better-sqlite3": "^11.2.1", + "better-sqlite3": "^11.3.0", "dayjs": "^1.11.13", "ejs": "^3.1.10", "emoji-flag": "^1.1.0", "etag": "^1.8.1", "fastest-levenshtein": "^1.0.16", - "geo-tz": "^8.0.2", + "geo-tz": "^8.1.1", "geolite2-redist": "^3.1.1", "google-protobuf": "^3.21.4", "haversine": "^1.1.1", "http-errors": "^2.0.0", - "ini": "^4.1.3", + "ini": "^5.0.0", "koa": "^2.15.3", "koa-better-response-time": "^1.2.0", "koa-bodyparser": "^4.4.1", @@ -79,7 +79,7 @@ "koa-timeout-v2": "^1.0.0", "maxmind": "^4.3.21", "murmurhash3": "^0.5.0", - "mysql2": "^3.11.0", + "mysql2": "^3.11.1", "nodemailer": "^6.9.15", "nodemailer-html-to-text": "^3.2.0", "pdfkit": "^0.15.0", diff --git a/src/app-www.js b/src/app-www.js index cf15743..8d80e6b 100644 --- a/src/app-www.js +++ b/src/app-www.js @@ -231,7 +231,7 @@ app.use(async function strictContentSecurityPolicy(ctx, next) { ` frame-ancestors https: data:;` + ` frame-src https: data:;` + ` img-src 'self' https: data:;` + - ` font-src 'self' https://fonts.gstatic.com/;` + + ` font-src 'self' data: https://fonts.gstatic.com/;` + ` object-src 'none';` + ` base-uri 'none'`; ctx.set('Content-Security-Policy', csp);