commit 451d94fe9550038adbc3baedd7b42f9baf422eb4
author Steve Gill <stevengill97@gmail.com> Thu Sep 29 17:25:33 2016 -0700
committer Steve Gill <stevengill97@gmail.com> Thu Sep 29 17:34:12 2016 -0700
tree f0e6106233c006bf81ae8538a88f13551f0ecd7f
parent 27919ad09e1a721c2e328c269b89def6b39dd90c

CB-11938 updated csp to include content: for img-src

template_src/www/index.html

diff --git a/template_src/www/index.html b/template_src/www/index.html
index 646f9cb..095e93b 100644
--- a/template_src/www/index.html
+++ b/template_src/www/index.html
@@ -28,7 +28,7 @@
             * Disables use of inline scripts in order to mitigate risk of XSS vulnerabilities. To change this:
                 * Enable inline JS: add 'unsafe-inline' to default-src
         -->
-        <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
+        <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:;">
         <meta name="format-detection" content="telephone=no">
         <meta name="msapplication-tap-highlight" content="no">
         <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width">