From 9ce46c19cb4108f24d5534e777056facb8124406 Mon Sep 17 00:00:00 2001
From: Adam Shimali <adam.shimali@gmail.com>
Date: Wed, 13 Jan 2016 10:37:34 +0000
Subject: [PATCH] Add content security policy directive to allow loading of
 base64 encoded fonts.

---
 app/__init__.py                      | 2 +-
 tests/app/main/views/test_headers.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index 010bc693b..9dc27d08c 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -124,7 +124,7 @@ def useful_headers_after_request(response):
     response.headers.add('X-Content-Type-Options', 'nosniff')
     response.headers.add('X-XSS-Protection', '1; mode=block')
     response.headers.add('Content-Security-Policy',
-                         "default-src 'self' 'unsafe-inline'")
+                         "default-src 'self' 'unsafe-inline'; font-src 'self' data:;")  # noqa
     return response
 
 
diff --git a/tests/app/main/views/test_headers.py b/tests/app/main/views/test_headers.py
index a6a584a6c..40ade72ae 100644
--- a/tests/app/main/views/test_headers.py
+++ b/tests/app/main/views/test_headers.py
@@ -6,4 +6,4 @@ def test_owasp_useful_headers_set(notifications_admin):
     assert response.headers['X-Frame-Options'] == 'deny'
     assert response.headers['X-Content-Type-Options'] == 'nosniff'
     assert response.headers['X-XSS-Protection'] == '1; mode=block'
-    assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'"  # noqa
+    assert response.headers['Content-Security-Policy'] == "default-src 'self' 'unsafe-inline'; font-src 'self' data:;"  # noqa