From bff934227282b32cfa6408a30a2332e8b5b6bb58 Mon Sep 17 00:00:00 2001
From: ekzyis <ek@stacker.news>
Date: Tue, 13 Feb 2024 23:11:34 +0100
Subject: [PATCH] Allow blob: scheme (#817)

---
 middleware.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware.js b/middleware.js
index c47bfa4d..b4fd759d 100644
--- a/middleware.js
+++ b/middleware.js
@@ -25,7 +25,7 @@ export function middleware (request) {
     "default-src 'none'",
     "font-src 'self' a.stacker.news",
     // we want to load images from everywhere but we can limit to HTTPS at least
-    "img-src 'self' a.stacker.news m.stacker.news https: data:",
+    "img-src 'self' a.stacker.news m.stacker.news https: data: blob:",
     // Using nonces and strict-dynamic deploys a strict CSP.
     // see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-policy.
     // Old browsers will ignore nonce and strict-dynamic