diff options
| author | Fuwn <[email protected]> | 2026-06-02 13:29:43 +0000 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-06-02 13:29:43 +0000 |
| commit | 8b53c07eb2f11a31a757d7ee0f6e60f68c3f1d83 (patch) | |
| tree | 8f007187f1ee2a5ea601d3a135fe3a50daec6142 | |
| parent | chore: remove unused /api/oauth/refresh route (M5b) (diff) | |
| download | due.moe-8b53c07eb2f11a31a757d7ee0f6e60f68c3f1d83.tar.xz due.moe-8b53c07eb2f11a31a757d7ee0f6e60f68c3f1d83.zip | |
Fonts load via proxy.due.moe from hosts the pinned font-src missed;
loosen to https: (matches img/media-src) since fonts cannot execute.
Add vercel.live (preview feedback toolbar) to script/style/frame-src.
| -rw-r--r-- | svelte.config.js | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/svelte.config.js b/svelte.config.js index f21e40e9..09a3217e 100644 --- a/svelte.config.js +++ b/svelte.config.js @@ -21,17 +21,19 @@ const config = { "self", "https://analytics.fuwn.me", "https://va.vercel-scripts.com", + "https://vercel.live", ], - "style-src": ["self", "unsafe-inline", "https://proxy.due.moe"], - "font-src": [ + "style-src": [ "self", - "data:", - "https://fonts.gstatic.com", + "unsafe-inline", "https://proxy.due.moe", + "https://vercel.live", ], + "font-src": ["self", "data:", "https:"], "img-src": ["self", "data:", "blob:", "https:"], "media-src": ["self", "data:", "blob:", "https:"], "connect-src": ["self", "https:", "ws:", "wss:"], + "frame-src": ["self", "https://vercel.live"], "object-src": ["none"], "base-uri": ["self"], "frame-ancestors": ["self"], |