From a10321e7924da96e6a11aa151347edf3314fed1c Mon Sep 17 00:00:00 2001
From: Ed Tanous <ed@tanous.net>
Date: Thu, 21 Mar 2024 16:35:26 -0700
Subject: Fix content-security-policy disable

If one sets the XSS policy disable, and tries to load the webui, they're
met with the following error message:

```
chunk-vendors.6cfb4b74.js:36 Refused to load the image
'data:image/svg+xml;charset=utf-8,%3Csvg
xmlns='http://www.w3.org/2000/svg' width='4' height='5'%3E%3Cpath
fill='%233f3f3f' d='M2 0L0 2h4zm0 5L0 3h4z'/%3E%3C/svg%3E' because it
violates the following Content Security Policy directive: "img-src *".
Note that '*' matches only URLs with network schemes ('http', 'https',
'ws', 'wss'), or URLs whose scheme matches `self`'s scheme. The scheme
'data:' must be added explicitly.
```

Do as it asks, and add data: to the content security policy.

Tested: Browser console no longer shows error when XSS is enabled.

Change-Id: I17f70d7c87a284b33ef6eb5a01a01c23a14898c9
Signed-off-by: Ed Tanous <ed@tanous.net>
---
 include/security_headers.hpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'include')

diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index 236b367fac..9af494d21b 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -82,7 +82,7 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
         // If XSS is disabled, we need to allow loading from addresses other
         // than self, as the BMC will be hosted elsewhere.
         res.addHeader("Content-Security-Policy", "default-src 'none'; "
-                                                 "img-src *; "
+                                                 "img-src * data:; "
                                                  "font-src *; "
                                                  "style-src *; "
                                                  "script-src *; "
-- 
cgit v1.2.3