From e8845334f314aae26c6eea757892e1cd7e7d6f23 Mon Sep 17 00:00:00 2001 From: Jan Sroka Date: Wed, 8 Jul 2026 21:36:37 +0200 Subject: [PATCH] fix(csp): allow data: fonts and drop meta-ignored frame-ancestors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two Content-Security-Policy console messages in the browser: 1. ERROR — a Webflow icon font embedded in webflow.css as a data:application/x-font-ttf URI was blocked by `font-src 'self'`. Add `data:` to font-src (mirrors the existing img-src 'self' data:). 2. WARNING — `frame-ancestors` is ignored when delivered via (it is header-only), so it did nothing but log a warning. Removed it; X-Frame- Options / a header-based frame-ancestors would need a header-capable front (documented in the head.html comment). Verified: site builds and the rendered CSP in _site shows `font-src 'self' data:` with frame-ancestors gone; prettier clean. Co-Authored-By: Claude Opus 4.8 (1M context) --- _includes/head.html | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/_includes/head.html b/_includes/head.html index 5c6df51..80ba66f 100644 --- a/_includes/head.html +++ b/_includes/head.html @@ -21,16 +21,20 @@ stricter style-src without 'unsafe-inline' would break their layout, and a CSP that breaks styling is worse than no CSP. - X-Content-Type-Options and X-Frame-Options are deliberately NOT emitted as - meta tags: both directives are only honored by browsers when sent as real - HTTP response headers and have no effect via . Enforcing - them requires either GitHub Pages gaining header support or fronting the - site with something that can inject headers (e.g. Cloudflare Transform - Rules / a Worker). + X-Content-Type-Options, X-Frame-Options, and the CSP `frame-ancestors` + directive are deliberately NOT included here: they are only honored by + browsers when delivered as real HTTP response headers and are ignored via + (frame-ancestors logs a console warning if left in). + Enforcing them requires either GitHub Pages gaining header support or + fronting the site with something that can inject headers (e.g. Cloudflare + Transform Rules / a Worker). + + font-src allows data: because the Webflow CSS embeds an icon font as a + data:application/x-font-ttf URI. --> + content="default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'">