soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Allow inline style tags and remove Bunny font
Some checks failed
linter / quality (push) Has been cancelled
Details
tests / ci (push) Has been cancelled
Details
tests / ui (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Codex Agent
2026-01-24 23:34:10 +01:00
parent 8414305ea3
commit 84e253b61c
4 changed files with 3 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Http/Middleware/ContentSecurityPolicy.php
View File

@@ -33,8 +33,6 @@ class ContentSecurityPolicy
return $response; return $response;
} }
$allowUnsafeInlineStyles = $request->is('event-admin*');
$matomoOrigin = $this->normaliseOrigin(config('services.matomo.url')); $matomoOrigin = $this->normaliseOrigin(config('services.matomo.url'));
$scriptSources = [ $scriptSources = [
"'self'", "'self'",
@@ -120,11 +118,7 @@ class ContentSecurityPolicy
$styleSources[] = 'data:'; $styleSources[] = 'data:';
$connectSources[] = 'https:'; $connectSources[] = 'https:';
$fontSources[] = 'https:'; $fontSources[] = 'https:';
$styleElemSources = $styleSources; $styleElemSources = array_unique(array_merge($styleSources, ["'unsafe-inline'"]));
if ($allowUnsafeInlineStyles) {
$styleElemSources = array_unique(array_merge($styleElemSources, ["'unsafe-inline'"]));
}
$directives = [ $directives = [
'default-src' => ["'self'"], 'default-src' => ["'self'"],

2
resources/js/pages/welcome.tsx
View File

@@ -8,8 +8,6 @@ export default function Welcome() {
return ( return (
<> <>
<Head title="Welcome"> <Head title="Welcome">
<link rel="preconnect" href="https://fonts.bunny.net" />
<link href="https://fonts.bunny.net/css?family=instrument-sans:400,500,600" rel="stylesheet" />
</Head> </Head>
<div className="flex min-h-screen flex-col items-center bg-[#FDFDFC] p-6 text-[#1b1b18] lg:justify-center lg:p-8 dark:bg-[#0a0a0a]"> <div className="flex min-h-screen flex-col items-center bg-[#FDFDFC] p-6 text-[#1b1b18] lg:justify-center lg:p-8 dark:bg-[#0a0a0a]">
<header className="mb-6 w-full max-w-[335px] text-sm not-has-[nav]:hidden lg:max-w-4xl"> <header className="mb-6 w-full max-w-[335px] text-sm not-has-[nav]:hidden lg:max-w-4xl">

2
resources/views/app.blade.php
View File

@@ -33,8 +33,6 @@
<link rel="icon" href="{{ asset('favicon.ico') }}" type="image/x-icon"> <link rel="icon" href="{{ asset('favicon.ico') }}" type="image/x-icon">
<link rel="apple-touch-icon" href="/apple-touch-icon.png"> <link rel="apple-touch-icon" href="/apple-touch-icon.png">
<link rel="preconnect" href="https://fonts.bunny.net">
<link href="https://fonts.bunny.net/css?family=instrument-sans:400,500,600" rel="stylesheet" />
@viteReactRefresh @viteReactRefresh
@vite(['resources/css/app.css', 'resources/js/app.tsx', "resources/js/pages/{$page['component']}.tsx"]) @vite(['resources/css/app.css', 'resources/js/app.tsx', "resources/js/pages/{$page['component']}.tsx"])

2
tests/Feature/SecurityHeadersTest.php
View File

@@ -37,6 +37,7 @@ class SecurityHeadersTest extends TestCase
$response->assertHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()'); $response->assertHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
$response->assertHeader('Content-Security-Policy'); $response->assertHeader('Content-Security-Policy');
$response->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'"); $response->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'");
$response->assertHeaderContains('Content-Security-Policy', "'unsafe-inline'; style-src-attr");
$response->assertHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); $response->assertHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
$response->assertCookie('XSRF-TOKEN'); $response->assertCookie('XSRF-TOKEN');
@@ -48,6 +49,7 @@ class SecurityHeadersTest extends TestCase
$login->assertOk(); $login->assertOk();
$login->assertHeader('Content-Security-Policy'); $login->assertHeader('Content-Security-Policy');
$login->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'"); $login->assertHeaderContains('Content-Security-Policy', "style-src-elem 'self'");
$login->assertHeaderContains('Content-Security-Policy', "'unsafe-inline'; style-src-attr");
$login->assertHeader('X-Frame-Options', 'SAMEORIGIN'); $login->assertHeader('X-Frame-Options', 'SAMEORIGIN');
$login->assertCookie('XSRF-TOKEN'); $login->assertCookie('XSRF-TOKEN');
} finally { } finally {