fix(csp): allow external https images in img-src — closes #608

Co-authored-by: Hermes Agent <agent@hermes>
2026-04-16 23:34:21 -07:00
parent d6267f4d31
commit f3f23abd4e
3 changed files with 7 additions and 2 deletions
--- a/api/helpers.py
+++ b/api/helpers.py
@@ -45,7 +45,7 @@ def _security_headers(handler):
        "default-src 'self'; "
        "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
        "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
-        "img-src 'self' data:; font-src 'self' data: https://cdn.jsdelivr.net; connect-src 'self'; "
+        "img-src 'self' data: https: blob:; font-src 'self' data: https://cdn.jsdelivr.net; connect-src 'self'; "
        "base-uri 'self'; form-action 'self'"
    )
    handler.send_header(