From 3e6414bf9643d7d9e6893c12b30a1840925f1c5b Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Tue, 21 May 2019 23:11:29 +0200
Subject: Allow data URLs in CSP header

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/controllers/Main.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'application/controllers/Main.php')

diff --git a/application/controllers/Main.php b/application/controllers/Main.php
index b0f88753e..793c88b89 100644
--- a/application/controllers/Main.php
+++ b/application/controllers/Main.php
@@ -219,7 +219,7 @@ class Main extends MY_Controller {
 					// prevent javascript from being executed and forbid frames
 					// this should allow us to serve user submitted HTML content without huge security risks
 					foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $header_name) {
-						header("$header_name: default-src 'none'; img-src *; media-src *; font-src *; style-src 'unsafe-inline' *; script-src 'none'; object-src *; frame-src 'none'; ");
+						header("$header_name: default-src 'none'; img-src data: *; media-src *; font-src data: *; style-src 'unsafe-inline' *; script-src 'none'; object-src *; frame-src 'none'; ");
 					}
 					$this->_handle_etag($etag);
 					$this->ddownload->serveFile($file, $filedata["filename"], $filedata["mimetype"]);
-- 
cgit v1.2.3-24-g4f1b