Add fonts.googleapis.com exclusion to SecurityConfiguration

[tillias]

Overview of the feature request

For sample app deployed into any cloud provider following error is displayed in browser console log: Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Source+Sans+Pro&display=swap' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

inside config/SecurityConfiguration.java:

    @Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .csrf()
            .disable()
            .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
            .exceptionHandling()
            .authenticationEntryPoint(problemSupport)
            .accessDeniedHandler(problemSupport)
            .and()
            .headers()
            .contentSecurityPolicy(
                String.format("default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src %s; font-src 'self' data:", cspProperties.getImageSrc()))

There is already exclusion for script-src https://storage.googleapis.com

Please make the same for font-src or/and style-src and https://fonts.googleapis.com

Motivation for or Use Case

To make even better product than it is now, also quite simple to fix actually

Related issues or PR

• [ x] Checking this box is mandatory (this is just to show you read everything)

[atomfrede]

Can you fill out the issue template please? Did you select a bootswatch theme? For a default application the csp is not blocking anything

[tillias]

It depends on how you start app. If it is running on localhost, it works just fine. When you deploy it in heroku or aws it throws such a message. That is actually feature request, not a bug template, or what do you mean?

[atomfrede]

We have the font policy when a bootswatch theme is selected. https://github.com/jhipster/generator-jhipster/blob/master/generators/server/templates/src/main/java/package/config/SecurityConfiguration.java.ejs#L244

I will check with heroku but there is no issue with the default configuration pretty sure as I usually test on heroku. I mean the issue template with all the required information to reproduce the issue (e.g. selected options).

[tillias]

Oh, I see, I will close this one and create bug issue later then. I used bootswatch and latest version of generator available and had to make CSP IMG_SRC configurable for example in my codebase and I don't know where this https://fonts.googleapis.com is coming from because I haven't modified any default styles ot customized bootswatch theme somehow

[atomfrede]

I have seen you have added 3rd party Stylesheets and have modified the csp policy ( which does not contain the font-src anymore we should generate). I will check with bootswatch later today maybe we miss something or the generation has a bug

[tillias]

Yes, I have updated img-src, but let me check if without vis-network styles it throws the same error. I will open issue instead of feature if it is still reproducible

[atomfrede]

@tillias I have looked at your source code and it was generated without the google fonts policy. So I will reopen this as it looks like a bug on our side as the if statement seem not to work correctly.

[tillias]

I have generated it from scratch and it seems font-src, style-src is not set:

        .and()
            .headers()
            .contentSecurityPolicy("default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:")

{
  "generator-jhipster": {
    "promptValues": {
      "packageName": "com.test.test",
      "nativeLanguage": "en"
    },
    "jhipsterVersion": "6.10.3",
    "applicationType": "monolith",
    "baseName": "test",
    "packageName": "com.test.test",
    "packageFolder": "com/test/test",
    "serverPort": "8080",
    "authenticationType": "jwt",
    "cacheProvider": "no",
    "websocket": false,
    "databaseType": "sql",
    "devDatabaseType": "h2Memory",
    "prodDatabaseType": "postgresql",
    "searchEngine": false,
    "messageBroker": false,
    "serviceDiscoveryType": false,
    "buildTool": "maven",
    "enableSwaggerCodegen": false,
    "jwtSecretKey": "MGVmMmQ2M2M4MTIxMzgyNGJlMGZjYmMxM2ViNjhiZDdlNWFjZDAyOTQ1ZDg3YzExNmI2YzFjZDA0OGNjMGE0NzNmNDRkMGJiMjNmYWQ3ZDk2MDVmY2UyNGQ4N2U4N2M4NTJkZGZmOGYyMDIxN2NmMmNiMjE3MDhhNmRiZGZmYTg=",
    "embeddableLaunchScript": false,
    "useSass": true,
    "clientPackageManager": "npm",
    "clientFramework": "angularX",
    "clientTheme": "solar",
    "clientThemeVariant": "primary",
    "creationTimestamp": 1602153348470,
    "testFrameworks": ["cucumber"],
    "jhiPrefix": "jhi",
    "entitySuffix": "",
    "dtoSuffix": "DTO",
    "otherModules": [],
    "enableTranslation": true,
    "nativeLanguage": "en",
    "languages": ["en"],
    "blueprints": []
  }
}

INFO! Using JHipster version installed locally in current project's node_modules INFO! Executing jhipster:info

JHipster Version(s)

test@0.0.1-SNAPSHOT C:\Development\Projects\test
`-- generator-jhipster@6.10.3 

##### **JHipster configuration, a `.yo-rc.json` file generated in the root folder**

<details>
<summary>.yo-rc.json file</summary>
<pre>
{
  "generator-jhipster": {
    "promptValues": {
      "packageName": "com.test.test",
      "nativeLanguage": "en"
    },
    "jhipsterVersion": "6.10.3",
    "applicationType": "monolith",
    "baseName": "test",
    "packageName": "com.test.test",
    "packageFolder": "com/test/test",
    "serverPort": "8080",
    "authenticationType": "jwt",
    "cacheProvider": "no",
    "websocket": false,
    "databaseType": "sql",
    "devDatabaseType": "h2Memory",
    "prodDatabaseType": "postgresql",
    "searchEngine": false,
    "messageBroker": false,
    "serviceDiscoveryType": false,
    "buildTool": "maven",
    "enableSwaggerCodegen": false,
    "jwtSecretKey": "YourJWTSecretKeyWasReplacedByThisMeaninglessTextByTheJHipsterInfoCommandForObviousSecurityReasons",
    "embeddableLaunchScript": false,
    "useSass": true,
    "clientPackageManager": "npm",
    "clientFramework": "angularX",
    "clientTheme": "solar",
    "clientThemeVariant": "primary",
    "creationTimestamp": 1602153348470,
    "testFrameworks": ["cucumber"],
    "jhiPrefix": "jhi",
    "entitySuffix": "",
    "dtoSuffix": "DTO",
    "otherModules": [],
    "enableTranslation": true,
    "nativeLanguage": "en",
    "languages": ["en"],
    "blueprints": []
  }
}

</pre>
</details>

##### **JDL for the Entity configuration(s) `entityName.json` files generated in the `.jhipster` directory**

<details>
<summary>JDL entity definitions</summary>

<pre>

</pre>
</details>

##### **Environment and Tools**

java version "11.0.8" 2020-07-14 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.8+10-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.8+10-LTS, mixed mode)

git version 2.24.1.windows.2

node: v12.18.3

npm: 6.14.6

Docker version 19.03.13, build 4484c46d9d

docker-compose version 1.27.4, build 40524192

INFO! Congratulations, JHipster execution is complete!

[atomfrede]

Thanks. As I said seems like a bug. It worked when we added the csp. Will take care of it.

[atomfrede]

I have used the current master and the csp seems correct. Will check the 6.10.3 release but the code has not changed.

Generated CSP:

contentSecurityPolicy("default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com data:")

[atomfrede]

@tillias As I can't reproduce it and you have no additional input I will close this issue. If you think there is still a bug feel free to reach out again and we can reopen this.