From ab9dd32902c65fde5ea3de3288f61770982096ae Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Mon, 25 Sep 2017 10:19:36 +0200
Subject: [PATCH] Add font-src to default CSP header

---
 src/pretix/base/middleware.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py
index fa0f7385eb..d362b5a87f 100644
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -186,6 +186,7 @@ class SecurityMiddleware(MiddlewareMixin):
             'style-src': ["{static}", "{media}", "'nonce-{nonce}'"],
             'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
             'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"],
+            'font-src': ["{static}"],
             # form-action is not only used to match on form actions, but also on URLs
             # form-actions redirect to. In the context of e.g. payment providers or
             # single-sign-on this can be nearly anything so we cannot really restrict