From d0f8e1148af0255e02f97c0ea2b065156915bf11 Mon Sep 17 00:00:00 2001
From: Robert Sparks <rjsparks@nostrum.com>
Date: Thu, 18 May 2023 16:29:30 -0500
Subject: [PATCH] chore: keep csp config in sync with production configuration
 (#5656)

---
 ietf/settings.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ietf/settings.py b/ietf/settings.py
index 092898abe..7934a42a7 100644
--- a/ietf/settings.py
+++ b/ietf/settings.py
@@ -537,7 +537,9 @@ IDNITS_BASE_URL = "https://author-tools.ietf.org/api/idnits"
 IDNITS_SERVICE_URL = "https://author-tools.ietf.org/idnits"
 
 # Content security policy configuration (django-csp)
-CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'", f"data: {IDTRACKER_BASE_URL} https://www.ietf.org/ https://analytics.ietf.org/ https://fonts.googleapis.com/")
+# (In current production, the Content-Security-Policy header is completely set by nginx configuration, but
+#  we try to keep this in sync to avoid confusion)
+CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'", f"data: {IDTRACKER_BASE_URL} http://ietf.org/ https://www.ietf.org/ https://analytics.ietf.org/ https://static.ietf.org")
 
 # The name of the method to use to invoke the test suite
 TEST_RUNNER = 'ietf.utils.test_runner.IetfTestRunner'