Content-Security-Policy: allow images from data: URLs

QR displayed in odk-central-frontend are displayed with src=data:... Closes getodk#629
alxndrsn · Nov 9, 2024 · 0415ec6 · 0415ec6
1 parent 2d95a61
commit 0415ec6
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/files/nginx/common-headers.conf b/files/nginx/common-headers.conf
@@ -6,7 +6,7 @@
 # They are included here to ease interpretation of violation reports.
 #
 # N.B. a separate CSP is defined for Enketo in odk.conf.template
-add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src *; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; report-uri /csp-report";
+add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src * data:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; report-uri /csp-report";
 
 # If changing these headers, please apply the same updates to enketo
 # location(s) in odk.conf.template