Redactor icons and Security Policy conflict

Hi everyone,

I’m trying to tighten my Content-Security-Policy (CSP) but still allow Redactor (v3.1.2-pl) to work properly.

Everything is hosted on the same domain, and Redactor loads fine, but the toolbar icons aren’t showing up — I suspect it’s a CSP issue.

Here’s my current CSP header:
add_header Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: blob: 'unsafe-inline'";

Any idea of what should I add or adjust to allow only Redactor to display its icons correctly?

Thanks in advance for any help!

Paging the ever-helpful but possibly busy @markh

I don’t have an example readily available, but the icons are in an embedded/inline icon font in the CSS, that likely requires a special rule to allow.