Fix CSP to allow Material Icons fonts and BC Gov scripts

danieltruong · danieltruong · commit 180c962f0723 · 2026-02-03T20:10:30.000Z
- Add fonts.gstatic.com to font-src for Material Icons
- Add use.typekit.net to script-src and font-src for Adobe fonts
- Add www2.gov.bc.ca to script-src for BC Gov analytics
- Add fonts.googleapis.com to style-src for Google Fonts CSS
- Add loginproxy.gov.bc.ca to connect-src for Keycloak
diff --git a/openshift/templates/nginx-runtime/default.conf b/openshift/templates/nginx-runtime/default.conf
@@ -14,7 +14,8 @@ server {
     server_name localhost;
 
     # Security headers
-    add_header Content-Security-Policy "default-src 'self' https://*.gov.bc.ca; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://*.gov.bc.ca; frame-ancestors 'none';" always;
+    # CSP allows: BC Gov resources, Google Fonts (Material Icons), Adobe Typekit, Keycloak
+    add_header Content-Security-Policy "default-src 'self' https://*.gov.bc.ca; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www2.gov.bc.ca https://use.typekit.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com https://use.typekit.net; connect-src 'self' https://*.gov.bc.ca https://*.loginproxy.gov.bc.ca; frame-ancestors 'none';" always;
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-Frame-Options "DENY" always;
