From 8b53c07eb2f11a31a757d7ee0f6e60f68c3f1d83 Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.net>
Date: Tue, 2 Jun 2026 13:29:43 +0000
Subject: fix(security): allow vercel.live and loosen font-src in CSP

Fonts load via proxy.due.moe from hosts the pinned font-src missed;
loosen to https: (matches img/media-src) since fonts cannot execute.
Add vercel.live (preview feedback toolbar) to script/style/frame-src.
---
 svelte.config.js | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'svelte.config.js')

diff --git a/svelte.config.js b/svelte.config.js
index f21e40e9..09a3217e 100644
--- a/svelte.config.js
+++ b/svelte.config.js
@@ -21,17 +21,19 @@ const config = {
 					"self",
 					"https://analytics.fuwn.me",
 					"https://va.vercel-scripts.com",
+					"https://vercel.live",
 				],
-				"style-src": ["self", "unsafe-inline", "https://proxy.due.moe"],
-				"font-src": [
+				"style-src": [
 					"self",
-					"data:",
-					"https://fonts.gstatic.com",
+					"unsafe-inline",
 					"https://proxy.due.moe",
+					"https://vercel.live",
 				],
+				"font-src": ["self", "data:", "https:"],
 				"img-src": ["self", "data:", "blob:", "https:"],
 				"media-src": ["self", "data:", "blob:", "https:"],
 				"connect-src": ["self", "https:", "ws:", "wss:"],
+				"frame-src": ["self", "https://vercel.live"],
 				"object-src": ["none"],
 				"base-uri": ["self"],
 				"frame-ancestors": ["self"],
-- 
cgit v1.2.3