From b4fd0586d841fae6d854b45a4e45ac9037503582 Mon Sep 17 00:00:00 2001 From: Amolith Date: Sun, 9 Nov 2025 19:00:35 -0700 Subject: [PATCH] feat(webui): allow data URIs in img-src CSP Assisted-by: Claude Sonnet 4.5 via Crush --- pkg/web/webui.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/web/webui.go b/pkg/web/webui.go index 03a48eae5f64469b8e98fe475a288d82591b65f4..acb9624719c31fecd3bcb1d3d89dd12b7a5a76a8 100644 --- a/pkg/web/webui.go +++ b/pkg/web/webui.go @@ -243,7 +243,7 @@ func renderHTML(w http.ResponseWriter, templateName string, data interface{}) { // Security headers // Note: style-src 'unsafe-inline' is required for inline styles in templates (tree.html, overview.html) - w.Header().Set("Content-Security-Policy", "default-src 'self'; img-src 'self' https:; style-src 'self' 'unsafe-inline'; script-src 'self'; object-src 'none'; frame-ancestors 'self'; base-uri 'none'") + w.Header().Set("Content-Security-Policy", "default-src 'self'; img-src 'self' https: data:; style-src 'self' 'unsafe-inline'; script-src 'self'; object-src 'none'; frame-ancestors 'self'; base-uri 'none'") w.Header().Set("Referrer-Policy", "no-referrer") w.Header().Set("X-Content-Type-Options", "nosniff")