From d4a9bb3c7e090f5fbea4df596be0c6261b3b4ac3 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Thu, 4 Oct 2018 03:02:55 +0200 Subject: [PATCH] Add `data:` URL to CSP and upgrade helmet Seems like the old version of helmet had a problem with `data:`. This patch upgrades to the latest version and adds the CSP rule to allow Google Fonts and the offline version of it, to properly include the fonts and no longer throw ugly error messages at us. Signed-off-by: Sheogorath --- lib/csp.js | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/csp.js b/lib/csp.js index 0987df85d..96be533a7 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -9,7 +9,7 @@ var defaultDirectives = { // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594 imgSrc: ['*'], styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views - fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'], + fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'], objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ mediaSrc: ['*'], childSrc: ['*'], diff --git a/package.json b/package.json index 6d4612250..6a48e9031 100644 --- a/package.json +++ b/package.json @@ -46,7 +46,7 @@ "gist-embed": "~2.6.0", "graceful-fs": "^4.1.11", "handlebars": "^4.0.6", - "helmet": "^3.3.0", + "helmet": "^3.13.0", "highlight.js": "~9.12.0", "i18n": "^0.8.3", "imgur": "git+https://github.com/hackmdio/node-imgur.git",