Allow img-src blob:

2024-04-05 19:59:38 +02:00
parent 03ef9f109f
commit 86986d8f34
1 changed files with 2 additions and 2 deletions
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -136,7 +136,7 @@ server {

 <% if ( endpoint === 'dashboard' || endpoint === 'ip' || endpoint === 'setup' ) { -%>
    # CSP headers for the dashboard resources
-    add_header Content-Security-Policy "default-src 'none'; frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self';";
+    add_header Content-Security-Policy "default-src 'none'; frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * blob: data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self';";
 <% } else { %>
    <% if (cspQuoted) { %>
    add_header Content-Security-Policy <%- cspQuoted %>;
@@ -257,7 +257,7 @@ server {

    location ~ ^/openid/ {
        proxy_pass   http://127.0.0.1:3005;
-        add_header Content-Security-Policy "frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none';";
+        add_header Content-Security-Policy "frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * blob: data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none';";
        client_max_body_size 2m;
    }