nhcarrigan/library
9
0
Fork 0
generated from nhcarrigan/template
Code Issues Pull Requests 54 Actions Releases 3 Activity

fix: load Google Fonts correctly with strict CSP
Node.js CI / CI (pull_request) Successful in 1m37s
Details
Security Scan and Upload / Security & DefectDojo Upload (pull_request) Successful in 1m41s
Details

Browse Source 
- Allow fonts.googleapis.com in style-src and fonts.gstatic.com in font-src
- Add Google Fonts preconnect links and import (Griffy, Kalam, Creepster, Henny Penny)
- Set body font to Kalam and heading font to Griffy
- Disable Angular inlineCritical optimisation to prevent deferred CSS loading via onload attribute, which was blocked by the strict script-src CSP
This commit is contained in:
Hikari
2026-03-05 10:26:31 -08:00
committed by Naomi Carrigan
parent 163738867b
commit 3b3ac3d1ef
4 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/src/app/plugins/helmet.ts
+2 -2
View File
@@ -14,11 +14,11 @@ const helmetPlugin: FastifyPluginAsync = async (app) => {
directives: {
defaultSrc: ["'self'"],
// Angular uses inline styles for component encapsulation, so we need to allow them
styleSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
imgSrc: ["'self'", "data:", "https:"],
scriptSrc: ["'self'"],
connectSrc: ["'self'", process.env.FRONTEND_URL ?? "http://localhost:4200"],
fontSrc: ["'self'", "data:"],
fontSrc: ["'self'", "data:", "https://fonts.gstatic.com"],
objectSrc: ["'none'"],
baseUri: ["'self'"],
formAction: ["'self'"],