d123ade0cb
* Gateway: allow Google Fonts stylesheet and font CDN in Control UI CSP * Tests: assert Control UI CSP allows required Google Fonts origins * Gateway: fix CSP comment for Google Fonts allowlist intent * Tests: split dedicated Google Fonts CSP assertion
18 lines
661 B
TypeScript
18 lines
661 B
TypeScript
export function buildControlUiCspHeader(): string {
|
|
// Control UI: block framing, block inline scripts, keep styles permissive
|
|
// (UI uses a lot of inline style attributes in templates).
|
|
// Keep Google Fonts origins explicit in CSP for deployments that load
|
|
// external Google Fonts stylesheets/font files.
|
|
return [
|
|
"default-src 'self'",
|
|
"base-uri 'none'",
|
|
"object-src 'none'",
|
|
"frame-ancestors 'none'",
|
|
"script-src 'self'",
|
|
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
|
|
"img-src 'self' data: https:",
|
|
"font-src 'self' https://fonts.gstatic.com",
|
|
"connect-src 'self' ws: wss:",
|
|
].join("; ");
|
|
}
|