From fb024232870673d94456faca18c958e9c00b8f3f Mon Sep 17 00:00:00 2001
From: Alex Anderson <191496+alxndrsn@users.noreply.github.com>
Date: Mon, 11 Nov 2024 20:11:14 +0300
Subject: [PATCH] Content-Security-Policy: allow images from data: URLs (#772)

QR displayed in odk-central-frontend are displayed with src=data:...

Closes #629
---
 files/nginx/common-headers.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/nginx/common-headers.conf b/files/nginx/common-headers.conf
index 7661bb01..7fa6eefa 100644
--- a/files/nginx/common-headers.conf
+++ b/files/nginx/common-headers.conf
@@ -6,7 +6,7 @@
 # They are included here to ease interpretation of violation reports.
 #
 # N.B. a separate CSP is defined for Enketo in odk.conf.template
-add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src *; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; report-uri /csp-report";
+add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src * data:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; report-uri /csp-report";
 
 # If changing these headers, please apply the same updates to enketo
 # location(s) in odk.conf.template