From d123ade0cbb34c08b47f87a2c297bb7edc7ecf3e Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Fri, 27 Feb 2026 23:58:51 -0800
Subject: [PATCH] fix(gateway): allow required Google Fonts origins in Control
 UI CSP (#29279)

* Gateway: allow Google Fonts stylesheet and font CDN in Control UI CSP

* Tests: assert Control UI CSP allows required Google Fonts origins

* Gateway: fix CSP comment for Google Fonts allowlist intent

* Tests: split dedicated Google Fonts CSP assertion
---
 src/gateway/control-ui-csp.test.ts | 8 +++++++-
 src/gateway/control-ui-csp.ts      | 6 ++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/gateway/control-ui-csp.test.ts b/src/gateway/control-ui-csp.test.ts
index 012c82665..7e69d48e7 100644
--- a/src/gateway/control-ui-csp.test.ts
+++ b/src/gateway/control-ui-csp.test.ts
@@ -7,6 +7,12 @@ describe("buildControlUiCspHeader", () => {
     expect(csp).toContain("frame-ancestors 'none'");
     expect(csp).toContain("script-src 'self'");
     expect(csp).not.toContain("script-src 'self' 'unsafe-inline'");
-    expect(csp).toContain("style-src 'self' 'unsafe-inline'");
+    expect(csp).toContain("style-src 'self' 'unsafe-inline' https://fonts.googleapis.com");
+  });
+
+  it("allows Google Fonts for style and font loading", () => {
+    const csp = buildControlUiCspHeader();
+    expect(csp).toContain("https://fonts.googleapis.com");
+    expect(csp).toContain("font-src 'self' https://fonts.gstatic.com");
   });
 });
diff --git a/src/gateway/control-ui-csp.ts b/src/gateway/control-ui-csp.ts
index 31cd98bd6..8a7b56f1e 100644
--- a/src/gateway/control-ui-csp.ts
+++ b/src/gateway/control-ui-csp.ts
@@ -1,15 +1,17 @@
 export function buildControlUiCspHeader(): string {
   // Control UI: block framing, block inline scripts, keep styles permissive
   // (UI uses a lot of inline style attributes in templates).
+  // Keep Google Fonts origins explicit in CSP for deployments that load
+  // external Google Fonts stylesheets/font files.
   return [
     "default-src 'self'",
     "base-uri 'none'",
     "object-src 'none'",
     "frame-ancestors 'none'",
     "script-src 'self'",
-    "style-src 'self' 'unsafe-inline'",
+    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
     "img-src 'self' data: https:",
-    "font-src 'self'",
+    "font-src 'self' https://fonts.gstatic.com",
     "connect-src 'self' ws: wss:",
   ].join("; ");
 }