Module: check_mk Branch: master Commit: 9a04e136e523dcc9027e869d107f63ccb0c30d85 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9a04e136e523dc… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Mon Oct 22 20:02:25 2018 +0200 Fixed loading of inline images (data:image/png;base64,...) The recently introduced content security policy denied loading this kind of images. We use them in some places, for example in the modern theme or in the icon manager. Change-Id: Ida5c355094a01d16ee8f7118e8d9a739e37bd16f --- omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf index 7122129..01e185a 100644 --- a/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf +++ b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf @@ -16,6 +16,9 @@ # Default policy for all not configured ones Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'" + # Allow local images and data URLs e.g. from CSS files + Header always set Content-Security-Policy "img-src 'self' data:" + # Allow AJAX calls to current scheme/url/port and the crash report API Header always append Content-Security-Policy "connect-src 'self' https://mathias-kettner.de/crash_report.php"