Add `data:` to CSP in `subscriptionController` (#8253)

Quick fix for https://github.com/FreshRSS/FreshRSS/issues/8250 Regression from https://github.com/FreshRSS/FreshRSS/pull/7646 It seems the CSP is too permissive on some pages though (`img-src *`), so should fix that too later
author: Inverle <inverle@proton.me> 2025-11-26 10:06:44 +0100
committer: GitHub <noreply@github.com> 2025-11-26 10:06:44 +0100
commit: fbfc5eacadc1fada6a538690e2949ad3c49bde4f (patch)
tree: de27e01e8c8cf38320c18806e5ee740a8f05801e /app/Controllers
parent: 1a3565f26c84ed82ef191effc70c5fa6e054e094 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/app/Controllers/subscriptionController.php b/app/Controllers/subscriptionController.php
index a2d1c1d07..a6928e32e 100644
--- a/app/Controllers/subscriptionController.php
+++ b/app/Controllers/subscriptionController.php
@@ -49,7 +49,7 @@ class FreshRSS_subscription_Controller extends FreshRSS_ActionController {
 		$this->_csp([
 			'default-src' => "'self'",
 			'frame-ancestors' => FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'",
-			'img-src' => "'self' blob:",
+			'img-src' => "'self' data: blob:",
 		]);
 
 		$this->view->onlyFeedsWithError = Minz_Request::paramBoolean('error');
@@ -119,7 +119,7 @@ class FreshRSS_subscription_Controller extends FreshRSS_ActionController {
 		$this->_csp([
 			'default-src' => "'self'",
 			'frame-ancestors' => FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'",
-			'img-src' => "'self' blob:",
+			'img-src' => "'self' data: blob:",
 		]);
 
 		if (Minz_Request::isPost()) {
author	Inverle <inverle@proton.me>	2025-11-26 10:06:44 +0100
committer	GitHub <noreply@github.com>	2025-11-26 10:06:44 +0100
commit	fbfc5eacadc1fada6a538690e2949ad3c49bde4f (patch)
tree	de27e01e8c8cf38320c18806e5ee740a8f05801e /app/Controllers
parent	1a3565f26c84ed82ef191effc70c5fa6e054e094 (diff)