fix(web): CSP for SVG rasterization

We have to allow img-src blob: to be able to rasterize SVG files by loading their blobs as object URLs into <img> objects. Also fixes font-style for PNG export.
author: Kristóf Marussy <kristof@marussy.com> 2024-02-24 01:13:00 +0100
committer: Kristóf Marussy <kristof@marussy.com> 2024-02-24 14:20:49 +0100
commit: 01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00 (patch)
tree: b21ac46b8d0e4c0e050a1f20c1f6f942c572a100
parent: refactor(frontend): improve save dialog label (diff)
download: refinery-01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00.tar.gz
refinery-01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00.tar.zst
refinery-01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00.zip
2 files changed, 3 insertions, 3 deletions
diff --git a/subprojects/frontend/src/graph/export/exportDiagram.tsx b/subprojects/frontend/src/graph/export/exportDiagram.tsx
index d2af52d9..cd374d23 100644
--- a/subprojects/frontend/src/graph/export/exportDiagram.tsx
+++ b/subprojects/frontend/src/graph/export/exportDiagram.tsx
@@ -134,7 +134,7 @@ async function fetchVariableFontCSS(): Promise<string> {
 }
 @font-face {
  font-family: 'Open Sans Variable';
-  font-style: normal;
+  font-style: italic;
  font-display: swap;
  font-weight: 300 800;
  src: url(${variableItalicDataURL}) format('woff2-variations');
diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
index cc87917f..19eeeff3 100644
--- a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
+++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
@@ -20,8 +20,8 @@ public class SecurityHeadersFilter implements Filter {
                                        // CodeMirror needs inline styles, see e.g.,
                                        // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2
                                        "style-src 'self' 'unsafe-inline'; " +
-                                        // Use 'data:' for displaying inline SVG backgrounds.
+                                        // Use 'data:' for displaying inline SVG backgrounds and blob for rendering SVG.
-                                        "img-src 'self' data:; " +
+                                        "img-src 'self' data: blob:; " +
                                        "font-src 'self'; " +
                                        // Fetch data:application/octet-stream;base64 URIs to unpack compressed URL fragments.
                                        "connect-src 'self' data:; " +
author	Kristóf Marussy <kristof@marussy.com>	2024-02-24 01:13:00 +0100
committer	Kristóf Marussy <kristof@marussy.com>	2024-02-24 14:20:49 +0100
commit	01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00 (patch)
tree	b21ac46b8d0e4c0e050a1f20c1f6f942c572a100
parent	refactor(frontend): improve save dialog label (diff)
download	refinery-01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00.tar.gz refinery-01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00.tar.zst refinery-01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00.zip

diff --git a/subprojects/frontend/src/graph/export/exportDiagram.tsx b/subprojects/frontend/src/graph/export/exportDiagram.tsx index d2af52d9..cd374d23 100644 --- a/subprojects/frontend/src/graph/export/exportDiagram.tsx +++ b/subprojects/frontend/src/graph/export/exportDiagram.tsx
@@ -134,7 +134,7 @@ async function fetchVariableFontCSS(): Promise<string> {
134	}	134	}
135	@font-face {	135	@font-face {
136	font-family: 'Open Sans Variable';	136	font-family: 'Open Sans Variable';
137	font-style: normal;	137	font-style: italic;
138	font-display: swap;	138	font-display: swap;
139	font-weight: 300 800;	139	font-weight: 300 800;
140	src: url(${variableItalicDataURL}) format('woff2-variations');	140	src: url(${variableItalicDataURL}) format('woff2-variations');


diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java index cc87917f..19eeeff3 100644 --- a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java +++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
@@ -20,8 +20,8 @@ public class SecurityHeadersFilter implements Filter {
20	// CodeMirror needs inline styles, see e.g.,	20	// CodeMirror needs inline styles, see e.g.,
21	// https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2	21	// https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2
22	"style-src 'self' 'unsafe-inline'; " +	22	"style-src 'self' 'unsafe-inline'; " +
23	// Use 'data:' for displaying inline SVG backgrounds.	23	// Use 'data:' for displaying inline SVG backgrounds and blob for rendering SVG.
24	"img-src 'self' data:; " +	24	"img-src 'self' data: blob:; " +
25	"font-src 'self'; " +	25	"font-src 'self'; " +
26	// Fetch data:application/octet-stream;base64 URIs to unpack compressed URL fragments.	26	// Fetch data:application/octet-stream;base64 URIs to unpack compressed URL fragments.
27	"connect-src 'self' data:; " +	27	"connect-src 'self' data:; " +