diff --git a/httpbin/handlers.go b/httpbin/handlers.go index 9a4349dfdde3d7a2cf02ac155ff7aec472ae8aa5..e1197660d07a0b28e2ef6bb9df63f5149c13a67a 100644 --- a/httpbin/handlers.go +++ b/httpbin/handlers.go @@ -34,7 +34,7 @@ func (h *HTTPBin) Index(w http.ResponseWriter, r *http.Request) { http.Error(w, "Not Found", http.StatusNotFound) return } - w.Header().Set("Content-Security-Policy", "default-src 'self'; style-src 'unsafe-inline'") + w.Header().Set("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' camo.githubusercontent.com") writeHTML(w, assets.MustAsset("index.html"), http.StatusOK) } diff --git a/httpbin/handlers_test.go b/httpbin/handlers_test.go index 9a94a02cee9d2b76c849fda6fe46f49ec5a1cb1c..47ed24f766ae76489c572230b00c33a09d063d3a 100644 --- a/httpbin/handlers_test.go +++ b/httpbin/handlers_test.go @@ -64,7 +64,7 @@ func TestIndex(t *testing.T) { handler.ServeHTTP(w, r) assertContentType(t, w, htmlContentType) - assertHeader(t, w, "Content-Security-Policy", "default-src 'self'; style-src 'unsafe-inline'") + assertHeader(t, w, "Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' camo.githubusercontent.com") assertBodyContains(t, w, "go-httpbin") }