From 980bc71a651c3e3ce104350d4239fd7e7c5a0d5d Mon Sep 17 00:00:00 2001
From: Dominik Rimpf <dev@drimpf.de>
Date: Wed, 11 Dec 2024 18:53:03 +0100
Subject: [PATCH] fix(csp): allow 'data:' images in pads

Signed-off-by: Dominik Rimpf <dev@drimpf.de>
---
 lib/csp.js                   | 2 +-
 public/docs/release-notes.md | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/csp.js b/lib/csp.js
index dc3706e2a..ac06722d6 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -11,7 +11,7 @@ const defaultDirectives = {
   fontSrc: ['\'self\''],
   manifestSrc: ['\'self\''],
   frameSrc: ['\'self\'', 'https://player.vimeo.com', 'https://www.slideshare.net/slideshow/embed_code/key/', 'https://www.youtube.com'],
-  imgSrc: ['*'], // we allow using arbitrary images
+  imgSrc: ['*', 'data:'], // we allow using arbitrary images & explicit data for mermaid
   scriptSrc: [
     config.serverURL + '/build/',
     config.serverURL + '/js/',
diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index 38d1307a1..213f7214d 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -4,6 +4,7 @@
 
 ### Bugfixes
 - Fix a crash when cannot read user profile in Oauth
+- Fix CSP Header for mermaid embedded images ([#5887](https://github.com/hedgedoc/hedgedoc/pull/5887) by [@domrim](https://github.com/domrim))
 
 ## <i class="fa fa-tag"></i> 1.10.0 <i class="fa fa-calendar-o"></i> 2024-09-01