From b2fec1114cf45b43cb61d6d7e1b8cc4fd64b5432 Mon Sep 17 00:00:00 2001
From: Thomas Lehmann <t.lehmann@strato-rz.de>
Date: Mon, 24 Jan 2022 15:30:31 +0100
Subject: wsd: fix malformed img-src field

The generated field is

   img-src 'self' data: https://www.collaboraoffice.com/https://*:* ...;

while a space was expected before the "https://*:*"

This was introduced with

   7e94149ec476445a445ffcd0922d83b1c60c5c64

   wsd: Only add one img-src rule to the CSP header

Signed-off-by: Thomas Lehmann <t.lehmann@strato-rz.de>
Change-Id: Ia900bb2508e7f04b111160001c6602e87eae2023
---
 wsd/FileServer.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 0fb30990e9..c20e29d3ae 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -892,7 +892,7 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request,
         // X-Frame-Options supports only one ancestor, ignore that
         //(it's deprecated anyway and CSP works in all major browsers)
         // frame anchestors are also allowed for img-src in order to load the views avatars
-        cspOss << imgSrc << frameAncestors << "; "
+        cspOss << imgSrc << " " << frameAncestors << "; "
                 << "frame-ancestors " << frameAncestors;
         std::string escapedFrameAncestors;
         Poco::URI::encode(frameAncestors, "'", escapedFrameAncestors);
-- 
cgit