CB-11938 updated csp to include content: for img-src 17/head
authorSteve Gill <stevengill97@gmail.com>
Fri, 30 Sep 2016 00:25:33 +0000 (17:25 -0700)
committerSteve Gill <stevengill97@gmail.com>
Fri, 30 Sep 2016 00:34:12 +0000 (17:34 -0700)
template_src/www/index.html

index 646f9cb..095e93b 100644 (file)
@@ -28,7 +28,7 @@
             * Disables use of inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
                 * Enable inline JS: add 'unsafe-inline' to default-src
         -->
-        <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
+        <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:;">
         <meta name="format-detection" content="telephone=no">
         <meta name="msapplication-tap-highlight" content="no">
         <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width">