Adds fonts.googleapis.com to CSP#2916
Conversation
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
|
TL;DR — Loosens the Content Security Policy in the manage UI to allow Google Fonts and Monaco Editor's WebAssembly execution, fixing CSP violations for font loading and the code editor. Key changes
Summary | 1 file | 4 commits | base:
|
There was a problem hiding this comment.
Low urgency — the change is harmless but likely unnecessary, and if Google Fonts are needed at runtime, the CSP is incomplete. One inline comment with details.
Claude Opus | 𝕏
| `default-src 'self'`, | ||
| `script-src ${scriptSrcDomains}`, | ||
| `style-src 'self' 'unsafe-inline'`, | ||
| `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com`, |
There was a problem hiding this comment.
The app loads fonts via next/font/google (layout.tsx:2), which downloads and self-hosts font files at build time — no runtime requests to fonts.googleapis.com. This CSP addition shouldn't be needed for the current setup.
If there is a use case that requires loading Google Fonts stylesheets at runtime (e.g. a dynamic @import or <link> tag), then font-src on line 70 also needs https://fonts.gstatic.com — otherwise the browser will allow the stylesheet but block the actual .woff2 font file downloads.
Could you share what triggered this change? If there's a CSP violation in the console, the full blocked URI would help determine the right fix.
There was a problem hiding this comment.
PR Review Summary
(1) Total Issues | Risk: Medium
🟠⚠️ Major (1) 🟠⚠️
Inline Comments:
- 🟠 Major:
proxy.ts:70Missingfont-srcdirective — Google Fonts won't load without allowingfonts.gstatic.com
Context
This PR adds https://fonts.googleapis.com to the style-src CSP directive to allow loading Google Fonts stylesheets.
Current architecture note: The app already uses next/font/google (Inter, JetBrains_Mono) in layout.tsx, which self-hosts fonts at build time and doesn't require CSP exceptions. This change suggests either:
- A new feature using dynamic Google Fonts loading, or
- A third-party dependency that embeds Google Fonts
Without the font-src update, the stylesheet will load but the actual font files will be blocked.
🚫 REQUEST CHANGES
Summary: The CSP change is incomplete — adding fonts.googleapis.com to style-src without also adding fonts.gstatic.com to font-src will cause font loading to fail silently. Please apply the inline suggestion to fix this. Additionally, consider adding a brief PR description explaining which feature requires external Google Fonts loading (since the existing fonts use Next.js's optimized self-hosting approach).
Reviewers (1)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
orchestrator |
1 | 0 | 0 | 0 | 1 | 0 | 0 |
| Total | 1 | 0 | 0 | 0 | 1 | 0 | 0 |
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
There was a problem hiding this comment.
PR Review Summary
(1) Total Issues | Risk: Low
🟡 Minor (1) 🟡
Inline Comments:
- 🟡 Minor:
proxy.ts:69-70Duplicatestyle-srcdirective (copy-paste error)
🕐 Pending Recommendations (1)
- 💭
proxy.ts:69Consider documenting which feature requires external Google Fonts (since existing fonts usenext/font/googleself-hosting)
💡 APPROVE WITH SUGGESTIONS
Summary: The prior font-src feedback was addressed — fonts.gstatic.com is now correctly included. However, there's a small copy-paste error that duplicated the style-src line. Apply the 1-click suggestion to clean it up. 🧹
Reviewers (1)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
orchestrator |
1 | 0 | 0 | 0 | 1 | 1 | 0 |
| Total | 1 | 0 | 0 | 0 | 1 | 1 | 0 |
Note: Delta-scoped re-review. Prior font-src issue resolved; new duplicate line detected.
| `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com`, | ||
| `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com`, |
There was a problem hiding this comment.
🟡 Minor: Duplicate style-src directive
Issue: The style-src directive appears twice (lines 69-70). This looks like a copy-paste error when adding the font-src line.
Why: Per the CSP spec, when duplicate directives exist, only the first occurrence is applied — so this won't break anything, but it's unnecessary and adds noise to the CSP header.
Fix: (1-click apply)
| `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com`, | |
| `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com`, | |
| `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com`, |
Refs:
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
✅ Prior Issues Resolved
All feedback from previous reviews has been addressed:
- ✅ Missing
font-src https://fonts.gstatic.com— now included (line 71) - ✅ Duplicate
style-srcdirective — removed in commit591c89927
📝 Delta Review (2 commits since last review)
New change: Added 'wasm-unsafe-eval' to script-src (line 60)
This is appropriate for Monaco Editor support:
- Monaco uses WebAssembly for syntax highlighting and validation
'wasm-unsafe-eval'is the CSP Level 3 recommended approach — narrowly scoped to WASM compilation only- Safer than
'unsafe-eval'which allows arbitrary string-to-code evaluation - Monaco is extensively used throughout the manage UI (26 files reference it)
✅ APPROVE
Summary: Clean delta — all prior feedback addressed, and the new 'wasm-unsafe-eval' addition is a well-scoped, security-appropriate change for Monaco Editor. Ship it! 🚀
Reviewers (1)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
orchestrator |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Note: Delta-scoped re-review. No sub-reviewers dispatched — small, focused change with clear justification (Monaco Editor CSP support).
font-csp
3aba21b to
d385c16
Compare
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
✅ No New Issues
This is a re-review triggered by a synchronize event. The PR state is unchanged from the previous APPROVE review.
Summary of changes:
style-src→ addshttps://fonts.googleapis.com(allows Google Fonts CSS)font-src→ addshttps://fonts.gstatic.com(allows Google Fonts WOFF2 files)
Both domains are correctly paired per the Google Fonts CSP documentation.
✅ Prior Issues Resolved
All feedback from previous reviews was addressed:
- ✅ Missing
font-src https://fonts.gstatic.com— added - ✅ Duplicate
style-srcdirective — removed
✅ APPROVE
Summary: Clean CSP addition for Google Fonts. Both required domains are correctly configured. Ship it! 🚀
Reviewers (1)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
orchestrator |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Note: Re-review with no new commits since prior APPROVE. No sub-reviewers dispatched.
* Adds fonts.googleapis.com to CSP * Update agents-manage-ui/src/proxy.ts Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> * removes duplicate font-csp --------- Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
No description provided.