fix CSP with data: URLs

Author: cmason3

CHANGELOG.md

@@ -1,5 +1,8 @@
 ## CHANGELOG
 
+### [24.6.1] - Jun 20, 2024
+- Updated `Content-Security-Policy` to explicitly allow `data:` scheme for `img-src` as `*` doesn't permit it
+
 ### [24.6.0] - Jun 20, 2024
 - Added an actual CHANGELOG.md instead of relying on GitHub Release history
 - The `Content-Security-Policy` header is now set as a HTTP response header and uses a standard value for all pages
@@ -309,6 +312,7 @@
 ### 21.11.0 - Nov 29, 2021
 - Initial release
 
+[24.6.1]: https://github.com/cmason3/jinjafx_server/compare/24.6.0...24.6.1
 [24.6.0]: https://github.com/cmason3/jinjafx_server/compare/24.5.0...24.6.0
 [24.5.0]: https://github.com/cmason3/jinjafx_server/compare/24.3.0...24.5.0
 [24.3.0]: https://github.com/cmason3/jinjafx_server/compare/24.1.1...24.3.0

jinjafx_server.py

@@ -28,7 +28,7 @@
 import re, argparse, hashlib, traceback, glob, hmac, uuid, struct, binascii, gzip, requests, ctypes, subprocess
 import cmarkgfm, emoji
 
-__version__ = '24.6.0'
+__version__ = '24.6.1'
 
 llock = threading.RLock()
 rlock = threading.RLock()
@@ -415,9 +415,8 @@ def do_GET(self, head=False, cache=True, versioned=False):
 
       elif r[1] == 200 or r[1] == 304:
         if r[1] == 200:
-          # self.send_header('Content-Security-Policy', "frame-ancestors 'none'")
           self.send_header('X-Content-Type-Options', 'nosniff')
-          self.send_header('Content-Security-Policy', "default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; script-src 'self' https://cdnjs.cloudflare.com; img-src *; frame-ancestors 'none'")
+          self.send_header('Content-Security-Policy', "default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; script-src 'self' https://cdnjs.cloudflare.com; img-src data: *; frame-ancestors 'none'")
           self.send_header('Referrer-Policy', 'strict-origin-when-cross-origin')
 
         self.send_header('Cache-Control', 'max-age=0, must-revalidate')