Address content security policy warning. Needed to adjust the policy …

…to help with SVG `data:` URLs in use by Tailwind.
zorn · Sep 6, 2024 · 18fe752 · 18fe752
1 parent cdbe53e
commit 18fe752
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/lib/flick_web/router.ex b/lib/flick_web/router.ex
@@ -9,7 +9,12 @@ defmodule FlickWeb.Router do
     plug :fetch_live_flash
     plug :put_root_layout, html: {FlickWeb.Layouts, :root}
     plug :protect_from_forgery
-    plug :put_secure_browser_headers
+
+    # Tailwind uses SVG data URLs for icons,
+    # so we need to allow them with `img-src`.
+    plug :put_secure_browser_headers, %{
+      "content-security-policy" => "default-src 'self'; img-src 'self' data:"
+    }
   end
 
   pipeline :admin do