From af8bd86e116940eccac582be3d93e857f52924f7 Mon Sep 17 00:00:00 2001 From: Test Date: Thu, 19 Mar 2026 21:03:55 +0100 Subject: [PATCH] fix(serve): exclude /assets/ from layout middleware, allow data: fonts in CSP Two bugs: 1. The redirect middleware was wrapping /assets/htmx.js and /assets/mermaid.js responses in the HTML page shell, causing "Unexpected token '<'" errors in the browser. Fixed by excluding /assets/* paths from the middleware (same as /api/*, /wasm/*, etc.) 2. CSP header blocked base64-embedded fonts (data: URIs) because font-src defaulted to 'self'. Added explicit font-src 'self' data: directive. Fixes: FEAT-001 Co-Authored-By: Claude Sonnet 4.6 --- rivet-cli/src/serve/mod.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rivet-cli/src/serve/mod.rs b/rivet-cli/src/serve/mod.rs index bb5126d..b362f98 100644 --- a/rivet-cli/src/serve/mod.rs +++ b/rivet-cli/src/serve/mod.rs @@ -397,7 +397,7 @@ pub async fn run( |mut response: axum::response::Response| async move { response.headers_mut().insert( "Content-Security-Policy", - "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" + "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'" .parse() .unwrap(), ); @@ -435,6 +435,7 @@ async fn wrap_full_page( && !is_htmx && path != "/" && !path.starts_with("/api/") + && !path.starts_with("/assets/") && !path.starts_with("/wasm/") && !path.starts_with("/source-raw/") && !path.starts_with("/docs-asset/")