From 629cae3680cac8e0c33e449194ae051af6f0421c Mon Sep 17 00:00:00 2001
From: Jonathan Niles <jonathanwniles@gmail.com>
Date: Mon, 3 Aug 2020 13:06:41 +0100
Subject: [PATCH] fix(csp): adds font and blob src to whitelist

Adds font and blob sources to the CSP whitelist.
---
 server/config/express.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/server/config/express.js b/server/config/express.js
index 1cdd562f6d..c99038fbe7 100644
--- a/server/config/express.js
+++ b/server/config/express.js
@@ -40,7 +40,14 @@ exports.configure = function configure(app) {
   debug('configuring middleware.');
 
   // helmet guards
-  app.use(helmet({ contentSecurityPolicy : { directives : { defaultSrc : ['\'self\'', '\'unsafe-inline\''] } } }));
+  app.use(helmet({
+    contentSecurityPolicy : {
+      directives : {
+        defaultSrc : ['\'self\'', '\'unsafe-inline\'', 'blob:'],
+        fontSrc : ['\'self\'', '\'https://fonts.gstatic.com\''],
+      },
+    },
+  }));
 
   app.use(bodyParser.json({ limit : '8mb' }));
   app.use(bodyParser.urlencoded({ extended : false }));