From 3e6414bf9643d7d9e6893c12b30a1840925f1c5b Mon Sep 17 00:00:00 2001 From: Florian Pritz Date: Tue, 21 May 2019 23:11:29 +0200 Subject: Allow data URLs in CSP header Signed-off-by: Florian Pritz --- NEWS | 1 + application/controllers/Main.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 7dbefd5e1..87322517b 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,7 @@ This file lists major, incompatible or otherwise important changes, you should look at it after every update. NEXT + - Allow data: URLs in Content-Security-Policy header for images and fonts 3.3.2 2019-05-15 - Fix compatability with Pygments 2.4.0 diff --git a/application/controllers/Main.php b/application/controllers/Main.php index b0f88753e..793c88b89 100644 --- a/application/controllers/Main.php +++ b/application/controllers/Main.php @@ -219,7 +219,7 @@ class Main extends MY_Controller { // prevent javascript from being executed and forbid frames // this should allow us to serve user submitted HTML content without huge security risks foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $header_name) { - header("$header_name: default-src 'none'; img-src *; media-src *; font-src *; style-src 'unsafe-inline' *; script-src 'none'; object-src *; frame-src 'none'; "); + header("$header_name: default-src 'none'; img-src data: *; media-src *; font-src data: *; style-src 'unsafe-inline' *; script-src 'none'; object-src *; frame-src 'none'; "); } $this->_handle_etag($etag); $this->ddownload->serveFile($file, $filedata["filename"], $filedata["mimetype"]); -- cgit v1.2.3-24-g4f1b