From 465c89404c560dee9ec7e315fb915c3e4719daca Mon Sep 17 00:00:00 2001
From: Timmy Willison <timmywil@users.noreply.github.com>
Date: Mon, 13 Jan 2025 11:32:13 -0500
Subject: [PATCH] All: add CSP exceptions for remote images

Ref https://github.com/jquery/infrastructure-puppet/issues/54
  Closes gh-10
---
 jquery/functions.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/jquery/functions.php b/jquery/functions.php
index 1096fef..3672723 100755
--- a/jquery/functions.php
+++ b/jquery/functions.php
@@ -293,8 +293,10 @@ function twentyeleven_content_security_policy() {
 		'script-src' => "'self' 'unsafe-inline' code.jquery.com use.typekit.net",
 		// Allow inline styles for typekit
 		'style-src' => "'self' 'unsafe-inline' code.jquery.com",
+		// Allow images from about:blank, *.cloudfront.net, events.jquery.org, and openjsf.org
+		// Allow images from *.twimg.com, gruntjs.com and *.imgur.com
 		// Leaving out typekit img-src, which only loads the p.gif for analytics
-		'img-src' => "'self' code.jquery.com",
+		'img-src' => "'self' about: *.cloudfront.net events.jquery.org openjsf.org *.twimg.com gruntjs.com *.imgur.com code.jquery.com",
 		// Allow fonts from typekit
 		'font-src' => "'self' use.typekit.net",
 		'object-src' => "'none'",