From 4c1293a74c743eafe190840f096e99c269ef1590 Mon Sep 17 00:00:00 2001
From: yangjianbo <yangjianbo@leagsoft.com>
Date: Mon, 5 Jan 2026 15:32:36 +0800
Subject: [PATCH] =?UTF-8?q?fix(=E5=AE=89=E5=85=A8):=20CSP=20=E7=AD=96?=
 =?UTF-8?q?=E7=95=A5=E6=B7=BB=E5=8A=A0=20Google=20Fonts=20=E6=94=AF?=
 =?UTF-8?q?=E6=8C=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

在 style-src 中添加 fonts.googleapis.com，在 font-src 中添加
fonts.gstatic.com，解决浏览器控制台因 CSP 策略阻止加载
Google Fonts 样式表的错误。

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 backend/internal/config/config.go | 2 +-
 deploy/config.example.yaml        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/internal/config/config.go b/backend/internal/config/config.go
index 0786b62f..1ddb375a 100644
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -17,7 +17,7 @@ const (
 	RunModeSimple   = "simple"
 )
 
-const DefaultCSPPolicy = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+const DefaultCSPPolicy = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
 
 // 连接池隔离策略常量
 // 用于控制上游 HTTP 连接池的隔离粒度，影响连接复用和资源消耗
diff --git a/deploy/config.example.yaml b/deploy/config.example.yaml
index 0f4babb5..3a1a2a98 100644
--- a/deploy/config.example.yaml
+++ b/deploy/config.example.yaml
@@ -69,7 +69,7 @@ security:
     # Enable Content-Security-Policy header
     enabled: true
     # Default CSP policy (override if you host assets on other domains)
-    policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+    policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
   proxy_probe:
     # Allow skipping TLS verification for proxy probe (debug only)
     insecure_skip_verify: false