From 3c9dab34bfa8c6034f02b162d91ed1dec06ad49d Mon Sep 17 00:00:00 2001 From: Bruno Quaresma Date: Thu, 8 Dec 2022 15:32:41 -0300 Subject: [PATCH] fix: Fix CSP for monaco editor (#5358) --- site/site.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/site/site.go b/site/site.go index 1d0d65abcf..924b88f195 100644 --- a/site/site.go +++ b/site/site.go @@ -266,9 +266,12 @@ func cspHeaders(next http.Handler) http.Handler { CSPDirectiveDefaultSrc: {"'self'"}, CSPDirectiveConnectSrc: {"'self'"}, CSPDirectiveChildSrc: {"'self'"}, - CSPDirectiveScriptSrc: {"'self'"}, - CSPDirectiveFontSrc: {"'self'"}, - CSPDirectiveStyleSrc: {"'self' 'unsafe-inline'"}, + // https://cdn.jsdelivr.net is used by monaco editor on FE for Syntax Highlight + // https://github.com/suren-atoyan/monaco-react/issues/168 + CSPDirectiveScriptSrc: {"'self' https://cdn.jsdelivr.net"}, + // data: is used by monaco editor on FE for Syntax Highlight + CSPDirectiveFontSrc: {"'self' data:"}, + CSPDirectiveStyleSrc: {"'self' 'unsafe-inline'"}, // object-src is needed to support code-server CSPDirectiveObjectSrc: {"'self'"}, // blob: for loading the pwa manifest for code-server