fix(csp): adds font and blob src to whitelist

Adds font and blob sources to the CSP whitelist.
Third-Culture-Software · Aug 3, 2020 · 629cae3 · 629cae3
1 parent ea1b067
commit 629cae3
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/server/config/express.js b/server/config/express.js
@@ -40,7 +40,14 @@ exports.configure = function configure(app) {
   debug('configuring middleware.');
 
   // helmet guards
-  app.use(helmet({ contentSecurityPolicy : { directives : { defaultSrc : ['\'self\'', '\'unsafe-inline\''] } } }));
+  app.use(helmet({
+    contentSecurityPolicy : {
+      directives : {
+        defaultSrc : ['\'self\'', '\'unsafe-inline\'', 'blob:'],
+        fontSrc : ['\'self\'', '\'https://fonts.gstatic.com\''],
+      },
+    },
+  }));
 
   app.use(bodyParser.json({ limit : '8mb' }));
   app.use(bodyParser.urlencoded({ extended : false }));