From e1f5850d386693c9cd2e9ad8ad9dff2cfb058954 Mon Sep 17 00:00:00 2001
From: Mathieu <github@kumy.net>
Date: Thu, 23 May 2024 22:46:46 +0200
Subject: [PATCH] fix: Fix CSP for libravatar

---
 website/app/GeoKrety/Assets.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/website/app/GeoKrety/Assets.php b/website/app/GeoKrety/Assets.php
index 173b395fb7..acf7a9927b 100644
--- a/website/app/GeoKrety/Assets.php
+++ b/website/app/GeoKrety/Assets.php
@@ -17,7 +17,7 @@ public function __construct(?Template $template = null) {
             header(
                 'Content-Security-Policy: '
                 .sprintf('script-src \'nonce-%s\' \'strict-dynamic\'; ', $nonce)
-                .sprintf('img-src \'self\' data: %s %s https://www.gstatic.com/recaptcha/ https://tile.openstreetmap.org https://cdn.crowdin.com/jipt/images/ https://crowdin-static.downloads.crowdin.com/avatar/; ', GK_CDN_SERVER_URL, GK_MINIO_SERVER_URL_EXTERNAL)
+                .sprintf('img-src \'self\' data: %s %s https://www.gstatic.com/recaptcha/ https://tile.openstreetmap.org https://cdn.crowdin.com/jipt/images/ https://seccdn.libravatar.org/avatar/ https://crowdin-static.downloads.crowdin.com/avatar/; ', GK_CDN_SERVER_URL, GK_MINIO_SERVER_URL_EXTERNAL)
                 .'frame-src https://www.google.com/ https://crowdin.com; '
                 .sprintf('style-src \'self\' \'nonce-%s\'; ', $nonce)
                 .sprintf('style-src-elem \'self\' \'unsafe-inline\' %s https://cdn.crowdin.com/jipt/jipt.css https://fonts.googleapis.com/css; ', GK_CDN_SERVER_URL)
@@ -30,7 +30,7 @@ public function __construct(?Template $template = null) {
         header(
             'Content-Security-Policy: '
             .sprintf('script-src \'nonce-%s\' \'strict-dynamic\'; ', $nonce)
-            .sprintf('img-src \'self\' data: %s %s https://www.gstatic.com/recaptcha/ https://tile.openstreetmap.org; ', GK_CDN_SERVER_URL, GK_MINIO_SERVER_URL_EXTERNAL)
+            .sprintf('img-src \'self\' data: %s %s https://www.gstatic.com/recaptcha/ https://tile.openstreetmap.org https://seccdn.libravatar.org/avatar/; ', GK_CDN_SERVER_URL, GK_MINIO_SERVER_URL_EXTERNAL)
             .'frame-src https://www.google.com/; '
             .sprintf('style-src \'self\' \'nonce-%s\'; ', $nonce)
             .sprintf('style-src-elem \'self\' \'unsafe-inline\' %s; ', GK_CDN_SERVER_URL)