wsd: Only add one img-src rule to the CSP header

Signed-off-by: Julius Härtl <jus@bitgrid.net>
Change-Id: I8ac3f077e4537f92943fa57bf863129d9bc36c6f

1 files changed, 5 insertions, 3 deletions

diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index d75a2ea4d5..4169fcb5f5 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -1019,7 +1019,7 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request,
     // Document signing: if endpoint URL is configured, whitelist that for
     // iframe purposes.
     std::ostringstream cspOss;
-    cspOss << "Content-Security-Policy: default-src 'none'; img-src 'self' data: https://www.collaboraoffice.com/;"
+    cspOss << "Content-Security-Policy: default-src 'none'; "
 #ifdef ENABLE_FEEDBACK
         "frame-src 'self' " << FEEDBACK_LOCATION << " blob: " << documentSigningURL << "; "
 #else
@@ -1056,19 +1056,21 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request,
         }
     }
 
+    std::string imgSrc = "img-src 'self' data: https://www.collaboraoffice.com/";
     if (!frameAncestors.empty())
     {
         LOG_TRC("Allowed frame ancestors: " << frameAncestors);
         // X-Frame-Options supports only one ancestor, ignore that
         //(it's deprecated anyway and CSP works in all major browsers)
-        cspOss << "img-src 'self' data: " << frameAncestors << "; "
+        // frame anchestors are also allowed for img-src in order to load the views avatars
+        cspOss << imgSrc << frameAncestors << "; "
                 << "frame-ancestors " << frameAncestors;
         Poco::replaceInPlace(preprocess, std::string("%FRAME_ANCESTORS%"), frameAncestors);
     }
     else
     {
         LOG_TRC("Denied all frame ancestors");
-        cspOss << "img-src 'self' data: none;";
+        cspOss << imgSrc << "; ";
     }
 
     cspOss << "\r\n";