From 983c9c4a72d5aa27d0dc33f11672e6052b0137d3 Mon Sep 17 00:00:00 2001 From: Maarten Balliauw Date: Fri, 13 Feb 2026 06:34:39 +0100 Subject: [PATCH 1/2] Bump IdentityServer to 7.4.6 --- src/Duende.IdentityServer.Demo.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Duende.IdentityServer.Demo.csproj b/src/Duende.IdentityServer.Demo.csproj index 098ea97..9eaed1d 100644 --- a/src/Duende.IdentityServer.Demo.csproj +++ b/src/Duende.IdentityServer.Demo.csproj @@ -8,7 +8,7 @@ - + From 37d244bd5184cdaff2de5850fdb97d3fcce8772c Mon Sep 17 00:00:00 2001 From: Maarten Balliauw Date: Fri, 13 Feb 2026 06:37:51 +0100 Subject: [PATCH 2/2] Allow Google Fonts in Content Security Policy (https://github.com/orgs/DuendeSoftware/discussions/489) --- src/Pages/SecurityHeadersAttribute.cs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/Pages/SecurityHeadersAttribute.cs b/src/Pages/SecurityHeadersAttribute.cs index aa90ad4..2e1302f 100644 --- a/src/Pages/SecurityHeadersAttribute.cs +++ b/src/Pages/SecurityHeadersAttribute.cs @@ -33,6 +33,9 @@ public override void OnResultExecuting(ResultExecutingContext context) //csp += "upgrade-insecure-requests;"; // also an example if you need client images to be displayed from twitter // csp += "img-src 'self' https://pbs.twimg.com;"; + + // Google Fonts + csp += "font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com"; // once for standards compliant browsers if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))