From 6055f0479310bd81bb548ba53a2ef111e1847a74 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Gr=C3=A9goire=20Aubert?= Date: Mon, 15 Apr 2024 11:12:52 +0200 Subject: [PATCH] SONAR-21973 Update CSP with font-src to accept data: fonts --- .../server/authentication/SamlValidationCspHeaders.java | 1 + .../main/java/org/sonar/server/platform/web/CspFilter.java | 5 +++-- .../java/org/sonar/server/platform/web/CspFilterTest.java | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java index b73ad8656a1..0dd29edb9f5 100644 --- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java +++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SamlValidationCspHeaders.java @@ -37,6 +37,7 @@ public class SamlValidationCspHeaders { "default-src 'self'", "base-uri 'none'", "connect-src 'self' http: https:", + "font-src 'self' data:;" + "img-src * data: blob:", "object-src 'none'", "script-src 'nonce-" + nonce + "'", diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java index b10f4be7abc..822ae962a46 100644 --- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java +++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java @@ -31,7 +31,7 @@ import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletResponse; public class CspFilter implements Filter { - + private final List cspHeaders = new ArrayList<>(); private String policies = null; @@ -40,11 +40,12 @@ public class CspFilter implements Filter { cspHeaders.add("Content-Security-Policy"); cspHeaders.add("X-Content-Security-Policy"); cspHeaders.add("X-WebKit-CSP"); - + List cspPolicies = new ArrayList<>(); cspPolicies.add("default-src 'self'"); cspPolicies.add("base-uri 'none'"); cspPolicies.add("connect-src 'self' http: https:"); + cspPolicies.add("font-src 'self' data:"); cspPolicies.add("img-src * data: blob:"); cspPolicies.add("object-src 'none'"); cspPolicies.add("script-src 'self'"); diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java index d895fa75ef9..b021d79b96d 100644 --- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java +++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java @@ -39,6 +39,7 @@ public class CspFilterTest { private static final String EXPECTED = "default-src 'self'; " + "base-uri 'none'; " + "connect-src 'self' http: https:; " + + "font-src 'self' data:; " + "img-src * data: blob:; " + "object-src 'none'; " + "script-src 'self'; " + -- 2.39.5