Merge pull request #45 from DuendeSoftware/mb/csp

maartenba · web-flow · commit 6430d15112e4 · 2026-02-13T06:38:55.000+01:00
Add CSP for fonts
diff --git a/src/Duende.IdentityServer.Demo.csproj b/src/Duende.IdentityServer.Demo.csproj
@@ -8,7 +8,7 @@
 	</PropertyGroup>
 
 	<ItemGroup>
-		<PackageReference Include="Duende.IdentityServer" Version="7.4.3" />
+		<PackageReference Include="Duende.IdentityServer" Version="7.4.6" />
 		<PackageReference Include="Duende.AspNetCore.Authentication.JwtBearer" Version="0.3.0" />
 		<PackageReference Include="Serilog.AspNetCore" Version="10.0.0" />
 	</ItemGroup>
diff --git a/src/Pages/SecurityHeadersAttribute.cs b/src/Pages/SecurityHeadersAttribute.cs
@@ -33,6 +33,9 @@ public override void OnResultExecuting(ResultExecutingContext context)
             //csp += "upgrade-insecure-requests;";
             // also an example if you need client images to be displayed from twitter
             // csp += "img-src 'self' https://pbs.twimg.com;";
+            
+            // Google Fonts
+            csp += "font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com";
 
             // once for standards compliant browsers
             if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
