Merge branch '6659-probable-bug-on-roundcube-default-content-security-policy' into 'develop'

Resolve "Probable bug on roundcube default Content-Security-Policy" Closes #6659 See merge request ispconfig/ispconfig3!1901

Merge branch '6659-probable-bug-on-roundcube-default-content-security-policy' into 'develop'
e63889ac · Till Brehm · f042d941 · 4e5caf04 · e63889ac
Commit e63889ac authored 9 months ago by Till Brehm
--- a/server/conf/apache_apps.vhost.master
+++ b/server/conf/apache_apps.vhost.master
@@ -38,8 +38,8 @@
  <IfModule mod_headers.c>
    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
-    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
+    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; object-src 'none'"
-    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
+    <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: *; object-src 'none'; upgrade-insecure-requests"
    Header set X-Content-Type-Options: nosniff
    Header set X-Frame-Options: SAMEORIGIN
    Header set X-XSS-Protection: "1; mode=block"