Allow data: url for image and fonts

Turns out data: is not included in "*" for images, so just add it. For
fonts, data: is used by google fonts.

diff --git a/pgweb/util/middleware.py b/pgweb/util/middleware.py
index 93260b98e5b4e05c77c0b5dc146844468337ed39..9a982c6912d78fbf002bd69ab11af26069b2a5f5 100644 (file)
--- a/pgweb/util/middleware.py
+++ b/pgweb/util/middleware.py
@@ -41,12 +41,12 @@ class PgMiddleware(object):
                # Set security headers
                sources = OrderedDict([
                        ('default', ["'self'", ]),
-                       ('img', ['*', ]),
+                       ('img', ['*', 'data:', ]),
                        ('script', ["'self'", "www.google-analytics.com", "ssl.google-analytics.com"]),
                        ('connect', ["'self'", "www.google-analytics.com", "ssl.google-analytics.com"]),
                        ('media', ["'self'", ]),
                        ('style', ["'self'", "fonts.googleapis.com"]),
-                       ('font', ["'self'", "fonts.gstatic.com"]),
+                       ('font', ["'self'", "fonts.gstatic.com", "data:" ]),
                ])
                if hasattr(response, 'x_allow_extra_sources'):
                        for k,v in response.x_allow_extra_sources.items():