Merge pull request #4293 from FlowFuse/remove-csp-img-src

Remove limits on img-src
FlowFuse · Aug 7, 2024 · cce4376 · cce4376
2 parents 4899db5 + 503eb02
commit cce4376
Showing 1 changed file with 2 additions and 26 deletions.
diff --git a/forge/forge.js b/forge/forge.js
@@ -265,8 +265,8 @@ module.exports = async (options = {}) => {
                         'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
                         'worker-src': ["'self'", 'blob:'],
                         'connect-src': ["'self'"],
-                        'img-src': ["'self'", 'data:', 'flowfuse.com', 'www.gravatar.com'],
-                        'font-src': ["'self'", 'data'],
+                        'img-src': ["'self'", 'data:', '*'],
+                        'font-src': ["'self'", 'data:'],
                         'style-src': ["'self'", 'https:', "'unsafe-inline'"],
                         'upgrade-insecure-requests': null,
                         'frame-ancestors': ["'self'"]
@@ -337,20 +337,6 @@ module.exports = async (options = {}) => {
                 } else {
                     contentSecurityPolicy.directives['script-src'] = googleDomains
                 }
-                const googleImageDomains = [
-                    'www.google.com',
-                    'www.google.co.*',
-                    'www.google.com.*',
-                    'www.google.*',
-                    'googleads.g.doubleclick.net',
-                    'www.googleadservices.com',
-                    'www.googletagmanager.com'
-                ]
-                if (contentSecurityPolicy.directives['img-src'] && Array.isArray(contentSecurityPolicy.directives['img-src'])) {
-                    contentSecurityPolicy.directives['img-src'].push(...googleImageDomains)
-                } else {
-                    contentSecurityPolicy.directives['img-src'] = googleImageDomains
-                }
                 const googleConnectDomains = [
                     'www.google.com',
                     'google.com'
@@ -395,16 +381,6 @@ module.exports = async (options = {}) => {
                 } else {
                     contentSecurityPolicy.directives['script-src'] = hubspotDomains
                 }
-                const hubspotImageDomains = [
-                    '*.hsforms.com',
-                    '*.hubspot.com',
-                    '*.hsforms.net'
-                ]
-                if (contentSecurityPolicy.directives['img-src'] && Array.isArray(contentSecurityPolicy.directives['img-src'])) {
-                    contentSecurityPolicy.directives['img-src'].push(...hubspotImageDomains)
-                } else {
-                    contentSecurityPolicy.directives['img-src'] = hubspotImageDomains
-                }
                 const hubspotConnectDomains = [
                     '*.hubspot.com',
                     '*.hubapi.com',