diff options
author | Kristóf Marussy <kristof@marussy.com> | 2024-02-24 01:13:00 +0100 |
---|---|---|
committer | Kristóf Marussy <kristof@marussy.com> | 2024-02-24 14:20:49 +0100 |
commit | 01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00 (patch) | |
tree | b21ac46b8d0e4c0e050a1f20c1f6f942c572a100 | |
parent | refactor(frontend): improve save dialog label (diff) | |
download | refinery-01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00.tar.gz refinery-01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00.tar.zst refinery-01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00.zip |
fix(web): CSP for SVG rasterization
We have to allow img-src blob: to be able to rasterize SVG files by loading
their blobs as object URLs into <img> objects.
Also fixes font-style for PNG export.
-rw-r--r-- | subprojects/frontend/src/graph/export/exportDiagram.tsx | 2 | ||||
-rw-r--r-- | subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/subprojects/frontend/src/graph/export/exportDiagram.tsx b/subprojects/frontend/src/graph/export/exportDiagram.tsx index d2af52d9..cd374d23 100644 --- a/subprojects/frontend/src/graph/export/exportDiagram.tsx +++ b/subprojects/frontend/src/graph/export/exportDiagram.tsx | |||
@@ -134,7 +134,7 @@ async function fetchVariableFontCSS(): Promise<string> { | |||
134 | } | 134 | } |
135 | @font-face { | 135 | @font-face { |
136 | font-family: 'Open Sans Variable'; | 136 | font-family: 'Open Sans Variable'; |
137 | font-style: normal; | 137 | font-style: italic; |
138 | font-display: swap; | 138 | font-display: swap; |
139 | font-weight: 300 800; | 139 | font-weight: 300 800; |
140 | src: url(${variableItalicDataURL}) format('woff2-variations'); | 140 | src: url(${variableItalicDataURL}) format('woff2-variations'); |
diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java index cc87917f..19eeeff3 100644 --- a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java +++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java | |||
@@ -20,8 +20,8 @@ public class SecurityHeadersFilter implements Filter { | |||
20 | // CodeMirror needs inline styles, see e.g., | 20 | // CodeMirror needs inline styles, see e.g., |
21 | // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2 | 21 | // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2 |
22 | "style-src 'self' 'unsafe-inline'; " + | 22 | "style-src 'self' 'unsafe-inline'; " + |
23 | // Use 'data:' for displaying inline SVG backgrounds. | 23 | // Use 'data:' for displaying inline SVG backgrounds and blob for rendering SVG. |
24 | "img-src 'self' data:; " + | 24 | "img-src 'self' data: blob:; " + |
25 | "font-src 'self'; " + | 25 | "font-src 'self'; " + |
26 | // Fetch data:application/octet-stream;base64 URIs to unpack compressed URL fragments. | 26 | // Fetch data:application/octet-stream;base64 URIs to unpack compressed URL fragments. |
27 | "connect-src 'self' data:; " + | 27 | "connect-src 'self' data:; " + |