From 29afe63e29d2af2e77744eec12110023efe5db9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <mcihar@novell.com>
Date: Fri, 4 Mar 2011 15:17:32 +0100
Subject: [PATCH] Allow data: for <img> in CSP

---
 libraries/header_http.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libraries/header_http.inc.php b/libraries/header_http.inc.php
index 6086f38c6..1cf8b47e7 100644
--- a/libraries/header_http.inc.php
+++ b/libraries/header_http.inc.php
@@ -22,7 +22,7 @@ $GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT';
 /* Prevent against ClickJacking by allowing frames only from same origin */
 if (!$GLOBALS['cfg']['AllowThirdPartyFraming']) {
     header('X-Frame-Options: SAMEORIGIN');
-    header('X-Content-Security-Policy: allow \'self\'; options inline-script eval-script; frame-ancestors \'self\'');
+    header('X-Content-Security-Policy: allow \'self\'; options inline-script eval-script; frame-ancestors \'self\'; img-src data:');
 }
 header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21
 header('Last-Modified: ' . $GLOBALS['now']);