From a5a7897233d52b881046069c77ed5e602bf30a66 Mon Sep 17 00:00:00 2001
From: Antoine Augusti <antoine.augusti@transport.data.gouv.fr>
Date: Tue, 12 Nov 2024 13:24:35 +0100
Subject: [PATCH] =?UTF-8?q?CSP=20:=20autorise=20images=20venant=20du=20G?=
 =?UTF-8?q?=C3=A9oportail=20IGN=20(#4304)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../lib/transport_web/plugs/custom_secure_browser_headers.ex  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/transport/lib/transport_web/plugs/custom_secure_browser_headers.ex b/apps/transport/lib/transport_web/plugs/custom_secure_browser_headers.ex
index dbdda1f6e3..6cab7417ae 100644
--- a/apps/transport/lib/transport_web/plugs/custom_secure_browser_headers.ex
+++ b/apps/transport/lib/transport_web/plugs/custom_secure_browser_headers.ex
@@ -46,7 +46,7 @@ defmodule TransportWeb.Plugs.CustomSecureBrowserHeaders do
           connect-src *;
           font-src *;
           frame-ancestors 'none';
-          img-src 'self' data: https://api.mapbox.com https://static.data.gouv.fr https://www.data.gouv.fr https://*.dmcdn.net #{logos_bucket_url};
+          img-src 'self' data: https://api.mapbox.com https://data.geopf.fr https://static.data.gouv.fr https://www.data.gouv.fr https://*.dmcdn.net #{logos_bucket_url};
           script-src 'self' 'unsafe-eval' 'unsafe-inline' https://stats.data.gouv.fr/matomo.js;
           frame-src https://*.dailymotion.com;
           style-src 'self' 'nonce-#{nonce}' #{vega_hash_values};
@@ -60,7 +60,7 @@ defmodule TransportWeb.Plugs.CustomSecureBrowserHeaders do
             connect-src *;
             font-src *;
             frame-ancestors 'none';
-            img-src 'self' data: https://api.mapbox.com https://static.data.gouv.fr https://demo-static.data.gouv.fr https://www.data.gouv.fr https://demo.data.gouv.fr https://*.dmcdn.net #{logos_bucket_url};
+            img-src 'self' data: https://api.mapbox.com https://data.geopf.fr https://static.data.gouv.fr https://demo-static.data.gouv.fr https://www.data.gouv.fr https://demo.data.gouv.fr https://*.dmcdn.net #{logos_bucket_url};
             script-src 'self' 'unsafe-eval' 'unsafe-inline' https://stats.data.gouv.fr/matomo.js;
             frame-src https://*.dailymotion.com;
             style-src 'self' 'nonce-#{nonce}' #{vega_hash_values};