From fbfc5eacadc1fada6a538690e2949ad3c49bde4f Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Wed, 26 Nov 2025 10:06:44 +0100
Subject: Add `data:` to CSP in `subscriptionController` (#8253)

Quick fix for https://github.com/FreshRSS/FreshRSS/issues/8250
Regression from https://github.com/FreshRSS/FreshRSS/pull/7646

It seems the CSP is too permissive on some pages though (`img-src *`), so should fix that too later
---
 app/Controllers/subscriptionController.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Controllers/subscriptionController.php b/app/Controllers/subscriptionController.php
index a2d1c1d07..a6928e32e 100644
--- a/app/Controllers/subscriptionController.php
+++ b/app/Controllers/subscriptionController.php
@@ -49,7 +49,7 @@ class FreshRSS_subscription_Controller extends FreshRSS_ActionController {
 		$this->_csp([
 			'default-src' => "'self'",
 			'frame-ancestors' => FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'",
-			'img-src' => "'self' blob:",
+			'img-src' => "'self' data: blob:",
 		]);
 
 		$this->view->onlyFeedsWithError = Minz_Request::paramBoolean('error');
@@ -119,7 +119,7 @@ class FreshRSS_subscription_Controller extends FreshRSS_ActionController {
 		$this->_csp([
 			'default-src' => "'self'",
 			'frame-ancestors' => FreshRSS_Context::systemConf()->attributeString('csp.frame-ancestors') ?? "'none'",
-			'img-src' => "'self' blob:",
+			'img-src' => "'self' data: blob:",
 		]);
 
 		if (Minz_Request::isPost()) {
-- 
cgit v1.2.3