update data access for font-src

apache · Jan 22, 2025 · 3d526f3 · 3d526f3
1 parent 9696bbd
commit 3d526f3
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/superset/config.py b/superset/config.py
@@ -1592,7 +1592,7 @@ def EMAIL_HEADER_MUTATOR(  # pylint: disable=invalid-name,unused-argument  # noq
 TALISMAN_CONFIG = {
     "content_security_policy": {
         "base-uri": ["'self'"],
-        "default-src": ["'self'", "data:"],
+        "default-src": ["'self'"],
         "img-src": [
             "'self'",
             "blob:",
@@ -1613,6 +1613,10 @@ def EMAIL_HEADER_MUTATOR(  # pylint: disable=invalid-name,unused-argument  # noq
             "'self'",
             "'unsafe-inline'",
         ],
+        "font-src": [
+            "'self'",
+            "data:"
+        ],
         "script-src": ["'self'", "'strict-dynamic'"],
     },
     "content_security_policy_nonce_in": ["script-src"],
@@ -1623,7 +1627,7 @@ def EMAIL_HEADER_MUTATOR(  # pylint: disable=invalid-name,unused-argument  # noq
 TALISMAN_DEV_CONFIG = {
     "content_security_policy": {
         "base-uri": ["'self'"],
-        "default-src": ["'self'", "data:"],
+        "default-src": ["'self'"],
         "img-src": [
             "'self'",
             "blob:",
@@ -1644,6 +1648,10 @@ def EMAIL_HEADER_MUTATOR(  # pylint: disable=invalid-name,unused-argument  # noq
             "'self'",
             "'unsafe-inline'",
         ],
+        "font-src": [
+            "'self'",
+            "data:"
+        ],
         "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
     },
     "content_security_policy_nonce_in": ["script-src"],