Module: check_mk
Branch: master
Commit: 9a04e136e523dcc9027e869d107f63ccb0c30d85
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9a04e136e523dc…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Oct 22 20:02:25 2018 +0200
Fixed loading of inline images (data:image/png;base64,...)
The recently introduced content security policy denied loading
this kind of images. We use them in some places, for example in
the modern theme or in the icon manager.
Change-Id: Ida5c355094a01d16ee8f7118e8d9a739e37bd16f
---
omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf | 3 +++
1 file changed, 3 insertions(+)
diff --git a/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf
b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf
index 7122129..01e185a 100644
--- a/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf
+++ b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf
@@ -16,6 +16,9 @@
# Default policy for all not configured ones
Header always set Content-Security-Policy "default-src 'self'
'unsafe-inline' 'unsafe-eval'"
+ # Allow local images and data URLs e.g. from CSS files
+ Header always set Content-Security-Policy "img-src 'self' data:"
+
# Allow AJAX calls to current scheme/url/port and the crash report API
Header always append Content-Security-Policy "connect-src 'self'
https://mathias-kettner.de/crash_report.php"