Fix #3386: set appropriate CSP for attachment previews in images (#3550)

leplatrem · web-flow · commit ca0921d78aa4 · 2025-05-20T22:24:30.000+02:00
diff --git a/kinto/plugins/admin/views.py b/kinto/plugins/admin/views.py
@@ -32,7 +32,7 @@ def admin_home_view(request):
     allow_local_only = "; ".join(
         (
             "default-src 'self'",
-            "img-src data: 'self'",
+            "img-src data: *",
             "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
             "style-src 'self' 'unsafe-inline'",
         )

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ def admin_home_view(request):`
`32`	`32`	`allow_local_only = "; ".join(`
`33`	`33`	`(`
`34`	`34`	`"default-src 'self'",`
`35`		`- "img-src data: 'self'",`
	`35`	`+ "img-src data: *",`
`36`	`36`	`"script-src 'self' 'unsafe-inline' 'unsafe-eval'",`
`37`	`37`	`"style-src 'self' 'unsafe-inline'",`
`38`	`38`	`)`