From 8695b899db4091f3a1eca3c80b1377bf5a4c99ec Mon Sep 17 00:00:00 2001
From: Glandos <bugs-github@antipoul.fr>
Date: Sun, 28 Aug 2022 11:49:29 +0200
Subject: [PATCH] Allow more elements with CSP (#1057)

Ultimately, we should get rid of inline style
For image in data: scheme, I think it's OK for now
Fixes #1055
---
 ihatemoney/run.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ihatemoney/run.py b/ihatemoney/run.py
index f4357afd..69b9b32f 100644
--- a/ihatemoney/run.py
+++ b/ihatemoney/run.py
@@ -144,6 +144,8 @@ def create_app(
         # We have several inline javascript scripts :(
         "script-src": ["'self'", "'unsafe-inline'"],
         "object-src": "'none'",
+        "img-src": ["'self'", "data:"],
+        "style-src": ["'self'", "'unsafe-inline'"],
     }
 
     Talisman(