fix: add data: URI support to CSP for full page archives

xingzihai · xingzihai · commit c0f05f47d80d · 2026-03-27T12:29:29.000Z
Fixes #2621 When CRAWLER_FULL_PAGE_ARCHIVE=true is enabled, monolith generates full page archives with CSS inlined as data URIs (data:text/css;base64,...). The existing CSP header blocked these data URIs in the style-src directive, causing CSS to fail loading. Changes: - Add 'data:' to style-src directive for CSS data URIs - Add font-src directive with 'data:' support for inline fonts This allows monolith-generated archives to render correctly while maintaining CSP security for external resources.
diff --git a/packages/api/utils/assets.ts b/packages/api/utils/assets.ts
@@ -34,7 +34,8 @@ export async function serveAsset(c: Context, assetId: string, userId: string) {
       "base-uri 'none'",
       "form-action 'none'",
       "img-src https: data: blob:",
-      "style-src 'unsafe-inline' https:",
+      "style-src 'unsafe-inline' https: data:",
+      "font-src https: data:",
       "connect-src 'none'",
       "media-src https: data: blob:",
       "object-src 'none'",
