fix(gateway): allow required Google Fonts origins in Control UI CSP (#29279)

* Gateway: allow Google Fonts stylesheet and font CDN in Control UI CSP * Tests: assert Control UI CSP allows required Google Fonts origins * Gateway: fix CSP comment for Google Fonts allowlist intent * Tests: split dedicated Google Fonts CSP assertion
2026-02-27 23:58:51 -08:00
parent f810932859
commit d123ade0cb
2 changed files with 11 additions and 3 deletions
--- a/src/gateway/control-ui-csp.test.ts
+++ b/src/gateway/control-ui-csp.test.ts
@@ -7,6 +7,12 @@ describe("buildControlUiCspHeader", () => {
    expect(csp).toContain("frame-ancestors 'none'");
    expect(csp).toContain("script-src 'self'");
    expect(csp).not.toContain("script-src 'self' 'unsafe-inline'");
-    expect(csp).toContain("style-src 'self' 'unsafe-inline'");
+    expect(csp).toContain("style-src 'self' 'unsafe-inline' https://fonts.googleapis.com");
+  });
+
+  it("allows Google Fonts for style and font loading", () => {
+    const csp = buildControlUiCspHeader();
+    expect(csp).toContain("https://fonts.googleapis.com");
+    expect(csp).toContain("font-src 'self' https://fonts.gstatic.com");
  });
 });
--- a/src/gateway/control-ui-csp.ts
+++ b/src/gateway/control-ui-csp.ts
@@ -1,15 +1,17 @@
 export function buildControlUiCspHeader(): string {
  // Control UI: block framing, block inline scripts, keep styles permissive
  // (UI uses a lot of inline style attributes in templates).
+  // Keep Google Fonts origins explicit in CSP for deployments that load
+  // external Google Fonts stylesheets/font files.
  return [
    "default-src 'self'",
    "base-uri 'none'",
    "object-src 'none'",
    "frame-ancestors 'none'",
    "script-src 'self'",
-    "style-src 'self' 'unsafe-inline'",
+    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
    "img-src 'self' data: https:",
-    "font-src 'self'",
+    "font-src 'self' https://fonts.gstatic.com",
    "connect-src 'self' ws: wss:",
  ].join("; ");
 }