Allow images with data URLs

Only URLs with a mime-type image/* are allowed
2025-08-26 18:21:01 +00:00 · 2021-02-06 14:33:28 -08:00 · 2021-02-06 14:33:28 -08:00 · 864dd9f219
commit 864dd9f219
parent 9a9a271b1f
4 changed files with 34 additions and 3 deletions
--- a/http/response/builder.go
+++ b/http/response/builder.go
@ -96,7 +96,7 @@ func (b *Builder) writeHeaders() {
 	b.headers["X-XSS-Protection"] = "1; mode=block"
 	b.headers["X-Content-Type-Options"] = "nosniff"
 	b.headers["X-Frame-Options"] = "DENY"
-	b.headers["Content-Security-Policy"] = "default-src 'self'; img-src *; media-src *; frame-src *"
+	b.headers["Content-Security-Policy"] = "default-src 'self'; img-src * data:; media-src *; frame-src *"

 	for key, value := range b.headers {
 		b.w.Header().Set(key, value)