set a more lenient img-src

github · Jul 18, 2017 · 17a1677 · 17a1677
1 parent 3e3f99c
commit 17a1677
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb
@@ -9,6 +9,7 @@ def self.included(base)
     DEFAULT_VALUE = "default-src https:".freeze
     DEFAULT_CONFIG = {
       default_src: %w(https:),
+      img_src: %w(https: data: 'self'),
       object_src: %w('none'),
       script_src: %w(https:),
       style_src: %w('self' 'unsafe-inline' https:),

diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb
@@ -25,7 +25,7 @@ module SecureHeaders
 
     describe "#value" do
       it "uses a safe but non-breaking default value" do
-        expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
+        expect(ContentSecurityPolicy.new.value).to eq("default-src https:; form-action 'self'; img-src https: data: 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:")
       end
 
       it "discards 'none' values if any other source expressions are present" do