Content-Security-Policy header on Vaadin14

Hi there,
I have a customer which insist setting this header. Despite i read on Vaadin docs, and it probably false positive in my case, anyhow i have to do it,
i add: “default-src ‘self’ script-src ‘unsafe-inline’ ‘unsafe-eval’ style-src ‘unsafe-inline’ font-src ‘self’ *”
Still, i am straggle with Vaadin icons. Despite i have also my own icons, only the Vaadin ones don’t get render:
Attache screen shot.
Main problem is that Resouce = data which not seems to be part of font-src ‘self’ *. i tried to specify the /data url with no success
Any idea?
from chrome information of the block
2 directives
Resource Status Directive Source Location
data blocked font-src coresuite:829
data blocked font-src coresuite:2
image.png

Hi there @reverent-fox ,

This is easy to get wrong. I see you are missing some semicolons on your custom policy string. I have used this approach before with no issues. Give it a try:

`private static final String CONTENT_POLICY_KEY = “script-src ‘unsafe-inline’ ‘unsafe-eval’ ‘self’ KEY; style-src ‘unsafe-inline’ ‘self’ KEY”;

//Inside your overriden configure method
String contentPolicyString = CONTENT_POLICY_KEY.replace(“KEY”, allowedDomain);
http.headers().contentSecurityPolicy(contentPolicyString);`

In the example above, “KEY” is to be replaced by your trusted domain(s)/ip(s), which can be externally configured as environment variables, etc (allowedDomain variable in the snippet).

Cool, that works. Thanks a lot!

My pleasure :slightly_smiling_face: