Add `data:` URL to CSP and upgrade helmet

Seems like the old version of helmet had a problem with `data:`. This patch upgrades to the latest version and adds the CSP rule to allow Google Fonts and the offline version of it, to properly include the fonts and no longer throw ugly error messages at us. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
author: Sheogorath 2018-10-04 03:02:55 +0200
committer: Sheogorath 2018-10-04 03:04:36 +0200
commit: d4a9bb3c7e090f5fbea4df596be0c6261b3b4ac3 (patch)
tree: 0cc2f270e785f102a95a308b38824dc2fa3b05cf /lib
parent: d9ba11b21a77561ec3f72d5396d48fea32f6389d (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/csp.js b/lib/csp.js
index 0987df85..96be533a 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -9,7 +9,7 @@ var defaultDirectives = {
   // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/codimd/issues/594
   imgSrc: ['*'],
   styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views
-  fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'],
+  fontSrc: ['\'self\'', 'data:', 'https://public.slidesharecdn.com'],
   objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
   mediaSrc: ['*'],
   childSrc: ['*'],
author	Sheogorath	2018-10-04 03:02:55 +0200
committer	Sheogorath	2018-10-04 03:04:36 +0200
commit	d4a9bb3c7e090f5fbea4df596be0c6261b3b4ac3 (patch)
tree	0cc2f270e785f102a95a308b38824dc2fa3b05cf /lib
parent	d9ba11b21a77561ec3f72d5396d48fea32f6389d (diff)