[bugfix] CSP policy fixes for S3/object storage (#2104)

* [bugfix] CSP policy fixes for S3 in non-proxied mode

* It should be img-src
* In both img-src and media-src we still need to include 'self'

1 files changed, 6 insertions, 2 deletions

diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go
index cd207a9f1..be7591be1 100644
--- a/internal/middleware/extraheaders.go
+++ b/internal/middleware/extraheaders.go
@@ -83,11 +83,15 @@ func BuildContentSecurityPolicy() string {
 	// Construct endpoint URL.
 	s3EndpointURLStr := scheme + "://" + s3Endpoint
 
+	// When object storage is in use in non-proxied mode, GtS still serves some
+	// assets itself like the logo, so keep 'self' in there. That should also
+	// handle any redirects from the fileserver to object storage.
+
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
-	policy += "; image-src " + s3EndpointURLStr
+	policy += "; img-src 'self' " + s3EndpointURLStr
 
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
-	policy += "; media-src " + s3EndpointURLStr
+	policy += "; media-src 'self' " + s3EndpointURLStr
 
 	return policy
 }