fix(csp): allow cdn.jsdelivr.net for font-src so KaTeX fonts load (fixes #477)

2026-04-14 21:14:33 +00:00
parent eb7ec5bac3
commit 85f1017514
2 changed files with 27 additions and 1 deletions
--- a/api/helpers.py
+++ b/api/helpers.py
@@ -45,7 +45,7 @@ def _security_headers(handler):
        "default-src 'self'; "
        "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
        "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
-        "img-src 'self' data:; font-src 'self' data:; connect-src 'self'; "
+        "img-src 'self' data:; font-src 'self' data: https://cdn.jsdelivr.net; connect-src 'self'; "
        "base-uri 'self'; form-action 'self'"
    )
    handler.send_header(