diff --git a/.env.example.complete b/.env.example.complete
index ed0cac5f4..6c773f601 100644
--- a/.env.example.complete
+++ b/.env.example.complete
@@ -398,8 +398,8 @@ ALLOWED_IFRAME_SOURCES="https://*.draw.io https://*.youtube.com https://*.youtub
# A list of sources/hostnames that can be loaded as CSS styles within BookStack.
# Space separated if multiple. BookStack host domain is auto-inferred.
# Defaults to a permissive set if not provided.
-# Example: ALLOWED_CSS_SOURCES="https://fonts.googleapis.com"
-ALLOWED_CSS_SOURCES=null
+# Example: ALLOWED_STYLE_SOURCES="https://fonts.googleapis.com"
+ALLOWED_STYLE_SOURCES=null
# A list of sources/hostnames that can be loaded as image content within BookStack.
# Space separated if multiple. BookStack host domain is auto-inferred, in addition to
diff --git a/app/Config/app.php b/app/Config/app.php
index 12f285ea9..c38cd0e1f 100644
--- a/app/Config/app.php
+++ b/app/Config/app.php
@@ -72,10 +72,10 @@ return [
// Current host and source for the "DRAWIO" setting will be auto-appended to the sources configured.
'iframe_sources' => env('ALLOWED_IFRAME_SOURCES', 'https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com'),
- // A list of sources/hostnames that can be loaded as CSS styles within BookStack.
+ // A list of style sources/hostnames that can be loaded styles within BookStack.
// Space separated if multiple. BookStack host domain is auto-inferred.
// If not set, a permissive default set is used to reduce potential breakage.
- 'css_sources' => env('ALLOWED_CSS_SOURCES', null),
+ 'style_sources' => env('ALLOWED_STYLE_SOURCES', null),
// A list of sources/hostnames that can be loaded as image content within BookStack.
// Space separated if multiple. BookStack host domain is auto-inferred, in addition to
diff --git a/app/Util/CspService.php b/app/Util/CspService.php
index 68c544ff0..9b871e7ff 100644
--- a/app/Util/CspService.php
+++ b/app/Util/CspService.php
@@ -169,7 +169,7 @@ class CspService
*/
protected function getAllowedStyleSources(): array
{
- $configured = config('app.css_sources');
+ $configured = config('app.style_sources');
if (is_string($configured)) {
$sources = array_filter(explode(' ', $configured));
diff --git a/phpunit.xml b/phpunit.xml
index 52c5e7de8..55d84d129 100644
--- a/phpunit.xml
+++ b/phpunit.xml
@@ -18,7 +18,7 @@
-
+
diff --git a/tests/SecurityHeaderTest.php b/tests/SecurityHeaderTest.php
index 8badc39b9..5664084ff 100644
--- a/tests/SecurityHeaderTest.php
+++ b/tests/SecurityHeaderTest.php
@@ -153,7 +153,7 @@ class SecurityHeaderTest extends TestCase
public function test_style_src_csp_header_set_to_permissive_defaults_when_not_configured()
{
- config()->set('app.css_sources', null);
+ config()->set('app.style_sources', null);
$resp = $this->get('/');
$header = $this->getCspHeader($resp, 'style-src');
@@ -162,7 +162,7 @@ class SecurityHeaderTest extends TestCase
public function test_style_src_csp_header_can_be_overridden_by_config()
{
- config()->set('app.css_sources', 'https://fonts.example.com');
+ config()->set('app.style_sources', 'https://fonts.example.com');
$resp = $this->get('/');
$header = $this->getCspHeader($resp, 'style-src');
@@ -172,7 +172,7 @@ class SecurityHeaderTest extends TestCase
public function test_style_src_csp_header_unsafe_inline_value_will_be_auto_quoted()
{
- config()->set('app.css_sources', 'unsafe-inline https://css.example.com');
+ config()->set('app.style_sources', 'unsafe-inline https://css.example.com');
$resp = $this->get('/');
$header = $this->getCspHeader($resp, 'style-src');
@@ -182,7 +182,7 @@ class SecurityHeaderTest extends TestCase
public function test_style_src_can_be_blank_to_set_no_additions()
{
- config()->set('app.css_sources', '');
+ config()->set('app.style_sources', '');
$resp = $this->get('/');
$header = $this->getCspHeader($resp, 'style-src');