SONAR-21973 Update CSP with font-src to accept data: fonts

author Grégoire Aubert <gregoire.aubert@sonarsource.com>

Mon, 15 Apr 2024 09:12:52 +0000 (11:12 +0200)

committer sonartech <sonartech@sonarsource.com>

Mon, 15 Apr 2024 20:02:44 +0000 (20:02 +0000)
author Grégoire Aubert <gregoire.aubert@sonarsource.com>
Mon, 15 Apr 2024 09:12:52 +0000 (11:12 +0200)
committer sonartech <sonartech@sonarsource.com>
Mon, 15 Apr 2024 20:02:44 +0000 (20:02 +0000)
diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java

index b73ad8656a105b24a94ffaf7b9f4ec43b284b2fa..0dd29edb9f5d1677b3cfe436e82438ad6a097925 100644 (file)
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java
@@ -37,6 +37,7 @@ public class SamlValidationCspHeaders {
        "default-src 'self'",
        "base-uri 'none'",
        "connect-src 'self' http: https:",
+      "font-src 'self' data:;" +
        "img-src * data: blob:",
        "object-src 'none'",
        "script-src 'nonce-" + nonce + "'",
diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java

index b10f4be7abc3347a407a84378435850f0d35aa07..822ae962a464a092a1c6996ca5eb243004437be7 100644 (file)
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java
+++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java
@@ -31,7 +31,7 @@ import javax.servlet.ServletResponse;
  import javax.servlet.http.HttpServletResponse;
  
  public class CspFilter implements Filter {
-  
+
    private final List<String> cspHeaders = new ArrayList<>();
    private String policies = null;
  
@@ -40,11 +40,12 @@ public class CspFilter implements Filter {
      cspHeaders.add("Content-Security-Policy");
      cspHeaders.add("X-Content-Security-Policy");
      cspHeaders.add("X-WebKit-CSP");
-    
+
      List<String> cspPolicies = new ArrayList<>();
      cspPolicies.add("default-src 'self'");
      cspPolicies.add("base-uri 'none'");
      cspPolicies.add("connect-src 'self' http: https:");
+    cspPolicies.add("font-src 'self' data:");
      cspPolicies.add("img-src * data: blob:");
      cspPolicies.add("object-src 'none'");
      cspPolicies.add("script-src 'self'");
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java

index d895fa75ef9399145de3d208a31498895e57486d..b021d79b96d95b4aa78400eb3c6d6375b086d510 100644 (file)
--- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java
@@ -39,6 +39,7 @@ public class CspFilterTest {
    private static final String EXPECTED = "default-src 'self'; " +
      "base-uri 'none'; " +
      "connect-src 'self' http: https:; " +
+    "font-src 'self' data:; " +
      "img-src * data: blob:; " +
      "object-src 'none'; " +
      "script-src 'self'; " +
author	Grégoire Aubert <gregoire.aubert@sonarsource.com>
	Mon, 15 Apr 2024 09:12:52 +0000 (11:12 +0200)
committer	sonartech <sonartech@sonarsource.com>
	Mon, 15 Apr 2024 20:02:44 +0000 (20:02 +0000)
server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java		patch \| blob \| history
server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java		patch \| blob \| history
server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java		patch \| blob \| history