summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2019-05-21 23:11:29 +0200
committerFlorian Pritz <bluewind@xinu.at>2019-05-21 23:12:30 +0200
commit3e6414bf9643d7d9e6893c12b30a1840925f1c5b (patch)
treea45832377643dd00a5784f459e76615e6434516f
parenta0abfecacde13f7977fb0bcf3ba9d736ce7c66bb (diff)
Allow data URLs in CSP header
Signed-off-by: Florian Pritz <bluewind@xinu.at>
-rw-r--r--NEWS1
-rw-r--r--application/controllers/Main.php2
2 files changed, 2 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 7dbefd5e1..87322517b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
This file lists major, incompatible or otherwise important changes, you should look at it after every update.
NEXT
+ - Allow data: URLs in Content-Security-Policy header for images and fonts
3.3.2 2019-05-15
- Fix compatability with Pygments 2.4.0
diff --git a/application/controllers/Main.php b/application/controllers/Main.php
index b0f88753e..793c88b89 100644
--- a/application/controllers/Main.php
+++ b/application/controllers/Main.php
@@ -219,7 +219,7 @@ class Main extends MY_Controller {
// prevent javascript from being executed and forbid frames
// this should allow us to serve user submitted HTML content without huge security risks
foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $header_name) {
- header("$header_name: default-src 'none'; img-src *; media-src *; font-src *; style-src 'unsafe-inline' *; script-src 'none'; object-src *; frame-src 'none'; ");
+ header("$header_name: default-src 'none'; img-src data: *; media-src *; font-src data: *; style-src 'unsafe-inline' *; script-src 'none'; object-src *; frame-src 'none'; ");
}
$this->_handle_etag($etag);
$this->ddownload->serveFile($file, $filedata["filename"], $filedata["mimetype"]);