fix: add data: to style-src and font-src CSP directives in serveAsset

[howwohmm]

Problem
The serveAsset handler in packages/api/utils/assets.ts was missing data: in the style-src CSP directive and had no font-src directive at all. This caused browsers to block inline data URIs used by fonts and styles when assets are served through the API.

Fix
Added data: to style-src and inserted a new font-src https: data: directive between style-src and connect-src in the Content-Security-Policy header built inside serveAsset.

What this doesn't change
CSP directives for other handlers (e.g. the main app routes) are unaffected.

[coderabbitai]

Walkthrough

Updated the Content-Security-Policy header in the serveAsset function by extending the style-src directive to allow data: sources and adding a new font-src directive allowing both https: and data: sources.

Changes

Cohort / File(s)	Summary
Security Policy Headers packages/api/utils/assets.ts	Extended style-src CSP directive to allow data: sources alongside https:, and added new font-src directive permitting https: and data: sources.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding data: to style-src and adding font-src CSP directives in the serveAsset function.
Description check	✅ Passed	The description is well-related to the changeset, clearly explaining the problem, the fix applied, and explicitly stating what remains unchanged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR fixes missing CSP directives in the serveAsset handler in packages/api/utils/assets.ts that were causing browsers to block inline data URIs used by fonts and styles when assets are served through the API.

• Added data: to the existing style-src 'unsafe-inline' https: directive to allow data-URI encoded stylesheets
• Added a new font-src https: data: directive between style-src and connect-src to explicitly allow web fonts from HTTPS and data-URI sources
• The sandbox directive and the rest of the CSP policy remain unchanged, limiting the security impact of these additions
• No other handlers or CSP configurations are affected

Confidence Score: 5/5

Safe to merge — the change is minimal, targeted, and correct; the additions are narrowly scoped to the asset-serving handler which already carries 'unsafe-inline' in style-src

The only changes are two CSP token additions that directly address the reported browser-blocking issue. The sandbox directive provides strong isolation of the served content. Adding data: to style-src is inconsequential given 'unsafe-inline' is already present, and the new font-src https: data: directive is a standard allowance for data-URI fonts. No logic, auth, or data-handling code is touched.

No files require special attention

Important Files Changed

Filename	Overview
packages/api/utils/assets.ts	Adds data: to style-src CSP directive and a new font-src https: data: directive in the serveAsset handler to allow browser-rendering of data-URI fonts and styles

_{Reviews (1): Last reviewed commit: "fix: add data: to style-src and font-src..." | Re-trigger Greptile}

[coderabbitai]

🧹 Nitpick comments (1)

packages/api/utils/assets.ts (1)

37-38: LGTM! CSP directives correctly allow data URIs for fonts and styles.

The additions of data: to style-src and the new font-src https: data: directive solve the stated problem (browsers blocking inline data URIs in archived HTML). The changes are consistent with existing precedent—both img-src (line 36) and media-src (line 40) already allow data: sources.

Optional: Consider adding blob: to font-src for consistency.

Note that img-src and media-src both allow blob: in addition to data:. If there's a possibility that fonts might be loaded from blob URLs in the future, you may want to add blob: to font-src as well:

-      "font-src https: data:",
+      "font-src https: data: blob:",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/api/utils/assets.ts` around lines 37 - 38, Update the
Content-Security-Policy directive for fonts in packages/api/utils/assets.ts to
also allow blob: URLs by appending "blob:" to the "font-src" entry (currently
"font-src https: data:"); modify that directive to "font-src https: data: blob:"
so it matches img-src/media-src precedent and permits future blob-based font
loading.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/api/utils/assets.ts`:
- Around line 37-38: Update the Content-Security-Policy directive for fonts in
packages/api/utils/assets.ts to also allow blob: URLs by appending "blob:" to
the "font-src" entry (currently "font-src https: data:"); modify that directive
to "font-src https: data: blob:" so it matches img-src/media-src precedent and
permits future blob-based font loading.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: effea7ae-9e00-4d6a-bd00-cc9b1548d942

📥 Commits

Reviewing files that changed from the base of the PR and between bc14214 and 01e6bdf.

📒 Files selected for processing (1)

• packages/api/utils/assets.ts

[MohamedBassem]

Thank you.