Merge branch 'main' into mathjax

vmcj · web-flow · commit f2cfc78a1711 · 2025-11-10T09:12:31.000+01:00
diff --git a/webapp/src/EventListener/AddContentSecurityPolicyListener.php b/webapp/src/EventListener/AddContentSecurityPolicyListener.php
@@ -17,7 +17,10 @@ public function __invoke(ResponseEvent $event): void
         // the profiler requires 'unsafe-eval' for script-src 'self'.
         $response = $event->getResponse();
         $cspExtra = $this->profiler ? "'unsafe-eval'" : "";
-        $csp = "font-src 'self' data:; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' $cspExtra; img-src 'self' data:; worker-src 'self' blob:";
+        $csp  = "default-src 'self';";
+        $csp .= "font-src 'self' data:; img-src 'self' data:;";
+        $csp .= "style-src 'self' 'unsafe-inline'; worker-src 'self' blob:";
+        $csp .= "script-src 'self' 'unsafe-inline' $cspExtra;";
         $response->headers->set('Content-Security-Policy', $csp);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,10 @@ public function __invoke(ResponseEvent $event): void`
`17`	`17`	`// the profiler requires 'unsafe-eval' for script-src 'self'.`
`18`	`18`	`$response = $event->getResponse();`
`19`	`19`	`$cspExtra = $this->profiler ? "'unsafe-eval'" : "";`
`20`		`- $csp = "font-src 'self' data:; default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' $cspExtra; img-src 'self' data:; worker-src 'self' blob:";`
	`20`	`+ $csp = "default-src 'self';";`
	`21`	`+ $csp .= "font-src 'self' data:; img-src 'self' data:;";`
	`22`	`+ $csp .= "style-src 'self' 'unsafe-inline'; worker-src 'self' blob:";`
	`23`	`+ $csp .= "script-src 'self' 'unsafe-inline' $cspExtra;";`
`21`	`24`	`$response->headers->set('Content-Security-Policy', $csp);`
`22`	`25`	`}`
`23`	`26`	`}`