From: Grégoire Aubert <gregoire.aubert@sonarsource.com>
Date: Mon, 15 Apr 2024 09:12:52 +0000 (+0200)
Subject: SONAR-21973 Update CSP with font-src to accept data: fonts
X-Git-Tag: 10.6.0.92116~208
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=6055f0479310bd81bb548ba53a2ef111e1847a74;p=sonarqube.git

SONAR-21973 Update CSP with font-src to accept data: fonts
---

diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java
index b73ad8656a1..0dd29edb9f5 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java
@@ -37,6 +37,7 @@ public class SamlValidationCspHeaders {
       "default-src 'self'",
       "base-uri 'none'",
       "connect-src 'self' http: https:",
+      "font-src 'self' data:;" +
       "img-src * data: blob:",
       "object-src 'none'",
       "script-src 'nonce-" + nonce + "'",
diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java
index b10f4be7abc..822ae962a46 100644
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java
+++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java
@@ -31,7 +31,7 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletResponse;
 
 public class CspFilter implements Filter {
-  
+
   private final List<String> cspHeaders = new ArrayList<>();
   private String policies = null;
 
@@ -40,11 +40,12 @@ public class CspFilter implements Filter {
     cspHeaders.add("Content-Security-Policy");
     cspHeaders.add("X-Content-Security-Policy");
     cspHeaders.add("X-WebKit-CSP");
-    
+
     List<String> cspPolicies = new ArrayList<>();
     cspPolicies.add("default-src 'self'");
     cspPolicies.add("base-uri 'none'");
     cspPolicies.add("connect-src 'self' http: https:");
+    cspPolicies.add("font-src 'self' data:");
     cspPolicies.add("img-src * data: blob:");
     cspPolicies.add("object-src 'none'");
     cspPolicies.add("script-src 'self'");
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java
index d895fa75ef9..b021d79b96d 100644
--- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java
@@ -39,6 +39,7 @@ public class CspFilterTest {
   private static final String EXPECTED = "default-src 'self'; " +
     "base-uri 'none'; " +
     "connect-src 'self' http: https:; " +
+    "font-src 'self' data:; " +
     "img-src * data: blob:; " +
     "object-src 'none'; " +
     "script-src 'self'; " +