From b5fcb7c14a691497ea76b88e925a075f6b2138e4 Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Tue, 14 Apr 2026 16:20:51 +0200
Subject: [PATCH] fix: add Google Fonts domains to CSP policy

Vuexy loads fonts via webfontloader from fonts.googleapis.com and
fonts.gstatic.com. The previous CSP blocked these, causing a white screen.

- style-src: added https://fonts.googleapis.com
- font-src: added https://fonts.gstatic.com
- Removed frame-ancestors from meta tags (ignored in meta, console warnings)

Updated in all three index.html dev meta tags and both Nginx SPA/portal configs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 apps/admin/index.html        | 2 +-
 apps/app/index.html          | 2 +-
 apps/portal/index.html       | 2 +-
 deploy/nginx/csp-portal.conf | 2 +-
 deploy/nginx/csp-spa.conf    | 4 ++--
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/apps/admin/index.html b/apps/admin/index.html
index 2993d09e..6872c3a8 100644
--- a/apps/admin/index.html
+++ b/apps/admin/index.html
@@ -9,7 +9,7 @@
   <title>Crewli Admin</title>
   <!-- CSP for local development — mirrors production Nginx policy -->
   <meta http-equiv="Content-Security-Policy"
-    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' http://localhost:8000 ws://localhost:5173; frame-ancestors 'none'; form-action 'self'; base-uri 'self'">
+    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:8000 ws://localhost:5173; form-action 'self'; base-uri 'self'">
   <link rel="stylesheet" type="text/css" href="/loader.css" />
 </head>
 
diff --git a/apps/app/index.html b/apps/app/index.html
index 4defa60c..70752723 100644
--- a/apps/app/index.html
+++ b/apps/app/index.html
@@ -9,7 +9,7 @@
   <title>Crewli — Organizer</title>
   <!-- CSP for local development — mirrors production Nginx policy -->
   <meta http-equiv="Content-Security-Policy"
-    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' http://localhost:8000 ws://localhost:5174; frame-ancestors 'none'; form-action 'self'; base-uri 'self'">
+    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:8000 ws://localhost:5174; form-action 'self'; base-uri 'self'">
   <link rel="stylesheet" type="text/css" href="/loader.css" />
 </head>
 
diff --git a/apps/portal/index.html b/apps/portal/index.html
index 21d1926d..4c9cf53d 100644
--- a/apps/portal/index.html
+++ b/apps/portal/index.html
@@ -9,7 +9,7 @@
   <title>Crewli — Portal</title>
   <!-- CSP for local development — mirrors production Nginx policy -->
   <meta http-equiv="Content-Security-Policy"
-    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' http://localhost:8000 ws://localhost:5175; frame-ancestors 'none'; form-action 'self'; base-uri 'self'">
+    content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' http://localhost:8000 ws://localhost:5175; form-action 'self'; base-uri 'self'">
   <link rel="stylesheet" type="text/css" href="/loader.css" />
 </head>
 
diff --git a/deploy/nginx/csp-portal.conf b/deploy/nginx/csp-portal.conf
index 241c04dc..256eac5c 100644
--- a/deploy/nginx/csp-portal.conf
+++ b/deploy/nginx/csp-portal.conf
@@ -1,4 +1,4 @@
 # CSP for portal.crewli.app
 # Same policy as SPA but with stricter connect-src since portal
 # should only talk to the API.
-add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
+add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
diff --git a/deploy/nginx/csp-spa.conf b/deploy/nginx/csp-spa.conf
index 22470873..f8a0b515 100644
--- a/deploy/nginx/csp-spa.conf
+++ b/deploy/nginx/csp-spa.conf
@@ -9,7 +9,7 @@
 # of clean logs.
 
 # Report-only mode (start with this):
-# add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
+# add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
 
 # Enforce mode (switch to this after testing):
-add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;
+add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;