From 8f2f845856dca93c87573fe63877b9201cf86570 Mon Sep 17 00:00:00 2001 From: hackademix Date: Sun, 1 Mar 2020 22:17:55 +0100 Subject: Fixed CapsCSP bug allowing data: URLs to bypass font blocking (thanks dcent and skriptimaahinen). --- src/common/CapsCSP.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/CapsCSP.js b/src/common/CapsCSP.js index 6621c95..cc1be72 100644 --- a/src/common/CapsCSP.js +++ b/src/common/CapsCSP.js @@ -2,7 +2,7 @@ function CapsCSP(baseCSP = new CSP()) { return Object.assign(baseCSP, { - types: ["script", "object", "media"], + types: ["script", "object", "media", "font"], dataUriTypes: ["font", "media", "object"], buildFromCapabilities(capabilities, blockHttp = false) { let forbidData = new Set(this.dataUriTypes.filter(t => !capabilities.has(t))); -- cgit v1.2.3