Merge pull request #12070 from paul43210/fix/csp-font-src

fix(proxy): add data: to font-src CSP to allow bundled KaTeX fonts
2026-04-25 17:25:21 +02:00 · 2026-03-11 08:47:29 +01:00
parent 4fba74c1f7 d4367fb224
commit c65dff7fac
11 changed files with 16 additions and 2 deletions
--- a/changelog/unreleased/fix-csp-font-src.md
+++ b/changelog/unreleased/fix-csp-font-src.md
@@ -0,0 +1,5 @@
+Bugfix: Fix CSP blocking bundled KaTeX font
+
+The default Content Security Policy blocked the bundled KaTeX math font (used by the md-editor) because it is inlined as a `data:` URI in the Web UI CSS. Added `data:` to the `font-src` directive to resolve the console error on every page load. Users with custom CSP files (`PROXY_CSP_CONFIG_FILE_LOCATION`) will need to add `data:` to their `font-src` directive manually.
+
+https://github.com/owncloud/ocis/pull/12070
--- a/deployments/examples/ocis_full/config/ocis/csp.yaml
+++ b/deployments/examples/ocis_full/config/ocis/csp.yaml
@@ -13,6 +13,7 @@ directives:
    - '''none'''
  font-src:
    - '''self'''
+    - 'data:'
  frame-ancestors:
    - '''self'''
  frame-src:
--- a/deployments/examples/ocis_keycloak/config/ocis/csp.yaml
+++ b/deployments/examples/ocis_keycloak/config/ocis/csp.yaml
@@ -11,6 +11,7 @@ directives:
    - '''none'''
  font-src:
    - '''self'''
+    - 'data:'
  frame-ancestors:
    - '''none'''
  frame-src:
--- a/deployments/examples/ocis_multi/config/ocis/csp-ocm.yaml
+++ b/deployments/examples/ocis_multi/config/ocis/csp-ocm.yaml
@@ -10,6 +10,7 @@ directives:
    - '''none'''
  font-src:
    - '''self'''
+    - 'data:'
  frame-ancestors:
    - '''self'''
  frame-src:
--- a/deployments/examples/ocis_multi/config/ocis/csp.yaml
+++ b/deployments/examples/ocis_multi/config/ocis/csp.yaml
@@ -11,6 +11,7 @@ directives:
    - '''none'''
  font-src:
    - '''self'''
+    - 'data:'
  frame-ancestors:
    - '''none'''
  frame-src:
--- a/deployments/examples/ocis_ocm/config/ocis/csp-ocm-next.yaml
+++ b/deployments/examples/ocis_ocm/config/ocis/csp-ocm-next.yaml
@@ -9,6 +9,7 @@ directives:
    - '''none'''
  font-src:
    - '''self'''
+    - 'data:'
  frame-ancestors:
    - '''self'''
  frame-src:
--- a/deployments/examples/ocis_ocm/config/ocis/csp-ocm.yaml
+++ b/deployments/examples/ocis_ocm/config/ocis/csp-ocm.yaml
@@ -9,6 +9,7 @@ directives:
    - '''none'''
  font-src:
    - '''self'''
+    - 'data:'
  frame-ancestors:
    - '''self'''
  frame-src:
--- a/deployments/examples/ocis_ocm/config/ocis/csp.yaml
+++ b/deployments/examples/ocis_ocm/config/ocis/csp.yaml
@@ -9,6 +9,7 @@ directives:
    - '''none'''
  font-src:
    - '''self'''
+    - 'data:'
  frame-ancestors:
    - '''self'''
  frame-src:
--- a/services/proxy/pkg/config/csp.yaml
+++ b/services/proxy/pkg/config/csp.yaml
@@ -9,6 +9,7 @@ directives:
    - '''none'''
  font-src:
    - '''self'''
+    - 'data:'
  frame-ancestors:
    - '''self'''
  frame-src:
--- a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature
+++ b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature
@@ -219,7 +219,7 @@ Feature: download file
    And the following headers should be set
      | header                            | value                                                                                                                                                                                                                                                                                                                                                                                                                                    |
      | Content-Disposition               | attachment; filename*=UTF-8''<encoded-file-name>; filename="<file-name>"                                                                                                                                                                                                                                                                                                                                                                 |
-      | Content-Security-Policy           | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
+      | Content-Security-Policy           | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self' data:; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
      | X-Content-Type-Options            | nosniff                                                                                                                                                                                                                                                                                                                                                                                                                                  |
      | X-Frame-Options                   | SAMEORIGIN                                                                                                                                                                                                                                                                                                                                                                                                                               |
      | X-Permitted-Cross-Domain-Policies | none                                                                                                                                                                                                                                                                                                                                                                                                                                     |
@@ -246,7 +246,7 @@ Feature: download file
    And the following headers should be set
      | header                            | value                                                                                                                                                                                                                                                                                                                                                                                                                                    |
      | Content-Disposition               | attachment; filename*=UTF-8''%22quote%22double%22.txt; filename=""quote"double".txt"                                                                                                                                                                                                                                                                                                                                                     |
-      | Content-Security-Policy           | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
+      | Content-Security-Policy           | child-src 'self'; connect-src 'self' blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; default-src 'none'; font-src 'self' data:; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob: https://raw.githubusercontent.com/owncloud/awesome-ocis/; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' |
      | X-Content-Type-Options            | nosniff                                                                                                                                                                                                                                                                                                                                                                                                                                  |
      | X-Frame-Options                   | SAMEORIGIN                                                                                                                                                                                                                                                                                                                                                                                                                               |
      | X-Permitted-Cross-Domain-Policies | none                                                                                                                                                                                                                                                                                                                                                                                                                                     |
--- a/tests/config/drone/csp.yaml
+++ b/tests/config/drone/csp.yaml
@@ -11,6 +11,7 @@ directives:
    - '''none'''
  font-src:
    - '''self'''
+    - 'data:'
  frame-ancestors:
    - '''none'''
  frame-src: