From 88c27ea7894359654a8f239c3a3e7501fb6c8762 Mon Sep 17 00:00:00 2001
From: Chris Mason <chris@netnix.org>
Date: Thu, 20 Jun 2024 00:49:21 +0100
Subject: [PATCH] fix CSP with data: URLs

---
 CHANGELOG.md      | 4 ++++
 jinjafx_server.py | 5 ++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 70113b5..56be0ab 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,8 @@
 ## CHANGELOG
 
+### [24.6.1] - Jun 20, 2024
+- Updated `Content-Security-Policy` to explicitly allow `data:` scheme for `img-src` as `*` doesn't permit it
+
 ### [24.6.0] - Jun 20, 2024
 - Added an actual CHANGELOG.md instead of relying on GitHub Release history
 - The `Content-Security-Policy` header is now set as a HTTP response header and uses a standard value for all pages
@@ -309,6 +312,7 @@
 ### 21.11.0 - Nov 29, 2021
 - Initial release
 
+[24.6.1]: https://github.com/cmason3/jinjafx_server/compare/24.6.0...24.6.1
 [24.6.0]: https://github.com/cmason3/jinjafx_server/compare/24.5.0...24.6.0
 [24.5.0]: https://github.com/cmason3/jinjafx_server/compare/24.3.0...24.5.0
 [24.3.0]: https://github.com/cmason3/jinjafx_server/compare/24.1.1...24.3.0
diff --git a/jinjafx_server.py b/jinjafx_server.py
index 83e0be3..89e5828 100755
--- a/jinjafx_server.py
+++ b/jinjafx_server.py
@@ -28,7 +28,7 @@
 import re, argparse, hashlib, traceback, glob, hmac, uuid, struct, binascii, gzip, requests, ctypes, subprocess
 import cmarkgfm, emoji
 
-__version__ = '24.6.0'
+__version__ = '24.6.1'
 
 llock = threading.RLock()
 rlock = threading.RLock()
@@ -415,9 +415,8 @@ def do_GET(self, head=False, cache=True, versioned=False):
 
       elif r[1] == 200 or r[1] == 304:
         if r[1] == 200:
-          # self.send_header('Content-Security-Policy', "frame-ancestors 'none'")
           self.send_header('X-Content-Type-Options', 'nosniff')
-          self.send_header('Content-Security-Policy', "default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; script-src 'self' https://cdnjs.cloudflare.com; img-src *; frame-ancestors 'none'")
+          self.send_header('Content-Security-Policy', "default-src 'self'; style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; script-src 'self' https://cdnjs.cloudflare.com; img-src data: *; frame-ancestors 'none'")
           self.send_header('Referrer-Policy', 'strict-origin-when-cross-origin')
 
         self.send_header('Cache-Control', 'max-age=0, must-revalidate')