From 78c43138749200de689106eb469c31ddbbba90b3 Mon Sep 17 00:00:00 2001 From: codex_a Date: Sun, 1 Mar 2026 11:31:41 +0000 Subject: [PATCH] fix: allow Google Fonts in CSP style-src and font-src were 'self' only, blocking fonts.googleapis.com stylesheet and fonts.gstatic.com font files. Add both origins so Space Grotesk, Inter and Fira Code load correctly in production. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- apps/core/middleware.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/core/middleware.py b/apps/core/middleware.py index a04983f..0152ed1 100644 --- a/apps/core/middleware.py +++ b/apps/core/middleware.py @@ -25,9 +25,9 @@ class SecurityHeadersMiddleware: response["Content-Security-Policy"] = ( f"default-src 'self'; " f"script-src 'self' 'nonce-{nonce}'; " - "style-src 'self'; " + "style-src 'self' https://fonts.googleapis.com; " "img-src 'self' data: blob:; " - "font-src 'self'; " + "font-src 'self' https://fonts.gstatic.com; " "connect-src 'self'; " "object-src 'none'; " "base-uri 'self'; "