SONAR-21973 Update CSP with font-src to accept data: fonts

2 files changed, 4 insertions, 2 deletions

diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java
index b10f4be7abc..822ae962a46 100644
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java
+++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/web/CspFilter.java
@@ -31,7 +31,7 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletResponse;
 
 public class CspFilter implements Filter {
-  
+
   private final List<String> cspHeaders = new ArrayList<>();
   private String policies = null;
 
@@ -40,11 +40,12 @@ public class CspFilter implements Filter {
     cspHeaders.add("Content-Security-Policy");
     cspHeaders.add("X-Content-Security-Policy");
     cspHeaders.add("X-WebKit-CSP");
-    
+
     List<String> cspPolicies = new ArrayList<>();
     cspPolicies.add("default-src 'self'");
     cspPolicies.add("base-uri 'none'");
     cspPolicies.add("connect-src 'self' http: https:");
+    cspPolicies.add("font-src 'self' data:");
     cspPolicies.add("img-src * data: blob:");
     cspPolicies.add("object-src 'none'");
     cspPolicies.add("script-src 'self'");
diff --git a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java
index d895fa75ef9..b021d79b96d 100644
--- a/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java
+++ b/server/sonar-webserver/src/test/java/org/sonar/server/platform/web/CspFilterTest.java
@@ -39,6 +39,7 @@ public class CspFilterTest {
   private static final String EXPECTED = "default-src 'self'; " +
     "base-uri 'none'; " +
     "connect-src 'self' http: https:; " +
+    "font-src 'self' data:; " +
     "img-src * data: blob:; " +
     "object-src 'none'; " +
     "script-src 'self'; " +