From 3da04f4856a288e603defada878d0635f4382387 Mon Sep 17 00:00:00 2001
From: uhensler <urs.hensler@frentix.com>
Date: Wed, 23 Jan 2019 12:42:31 +0100
Subject: [PATCH] OO-3797: Add edu-sharing url to content security policy
 font-src

---
 .../org/olat/core/servlets/HeadersFilter.java | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/olat/core/servlets/HeadersFilter.java b/src/main/java/org/olat/core/servlets/HeadersFilter.java
index 23fb4f98226..413a22b4805 100644
--- a/src/main/java/org/olat/core/servlets/HeadersFilter.java
+++ b/src/main/java/org/olat/core/servlets/HeadersFilter.java
@@ -108,8 +108,7 @@ public class HeadersFilter implements Filter {
 		appendDirective(sb, "style-src", securityModule.getContentSecurityPolicyStyleSrc(),
 				CSPModule.DEFAULT_CONTENT_SECURITY_POLICY_STYLE_SRC);
 		appendImgSrcDirective(sb, false);
-		appendDirective(sb, "font-src", securityModule.getContentSecurityPolicyFontSrc(),
-				CSPModule.DEFAULT_CONTENT_SECURITY_POLICY_FONT_SRC);
+		appendFontSrcDirective(sb, false);
 		appendDirective(sb, "worker-src", securityModule.getContentSecurityPolicyWorkerSrc(),
 				CSPModule.DEFAULT_CONTENT_SECURITY_POLICY_WORKER_SRC);
 		appendFrameSrcDirective(sb, false);
@@ -132,10 +131,8 @@ public class HeadersFilter implements Filter {
 				appendDirective(sb, "style-src", null, CSPModule.DEFAULT_CONTENT_SECURITY_POLICY_STYLE_SRC);
 				break;
 			case "img-src": appendImgSrcDirective(sb, true); break;
-			case "font-src":
-				appendDirective(sb, "font-src", null, CSPModule.DEFAULT_CONTENT_SECURITY_POLICY_FONT_SRC);
-				break;
-			case "connect-src":appendConnectSrcDirective(sb, true); break;
+			case "font-src": appendFontSrcDirective(sb, true); break;
+			case "connect-src": appendConnectSrcDirective(sb, true); break;
 			case "frame-src": appendFrameSrcDirective(sb, true); break;
 			case "media-src": appendMediaSrcDirective(sb, true); break;
 			case "object-src":
@@ -148,6 +145,17 @@ public class HeadersFilter implements Filter {
 		
 	}
 	
+	private void appendFontSrcDirective(StringBuilder sb, boolean standard) {
+		sb.append("font-src ")
+		  .append(CSPModule.DEFAULT_CONTENT_SECURITY_POLICY_FONT_SRC);
+		if(!standard && StringHelper.containsNonWhitespace(securityModule.getContentSecurityPolicyFontSrc())) {
+			sb.append(" ").append(securityModule.getContentSecurityPolicyFontSrc());
+		}
+		
+		appendEdusharingUrl(sb);
+		sb.append(";");
+	}
+	
 	private void appendConnectSrcDirective(StringBuilder sb, boolean standard) {
 		sb.append("connect-src ")
 		  .append(CSPModule.DEFAULT_CONTENT_SECURITY_POLICY_CONNECT_SRC);
-- 
GitLab