From 4ccba5337a7c0dd262033a4d45371020b067b51e Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 23 Oct 2020 12:09:03 -0700
Subject: [PATCH] Added https://gravatar address to CSP

---
 app/Http/Middleware/SecurityHeaders.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Http/Middleware/SecurityHeaders.php b/app/Http/Middleware/SecurityHeaders.php
index ab88ec1b87..5f77c21e14 100644
--- a/app/Http/Middleware/SecurityHeaders.php
+++ b/app/Http/Middleware/SecurityHeaders.php
@@ -106,7 +106,7 @@ class SecurityHeaders
             $csp_policy[] = "connect-src 'self'";
             $csp_policy[] = "object-src 'none'";
             $csp_policy[] = "font-src 'self' data:";
-            $csp_policy[] = "img-src 'self' data: gravatar.com maps.google.com maps.gstatic.com *.googleapis.com";
+            $csp_policy[] = "img-src 'self' data: ".config('app.url')." https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com";
             $csp_policy = join(';', $csp_policy);
             $response->headers->set('Content-Security-Policy', $csp_policy);
         }