From 73a9e81f37fb9ffe7ce06aa38f31b14e2fa56037 Mon Sep 17 00:00:00 2001
From: Will McCutchen <will@mccutch.org>
Date: Fri, 13 Oct 2017 19:04:27 -0700
Subject: [PATCH] Allow github banner image in CSP

---
 httpbin/handlers.go      | 2 +-
 httpbin/handlers_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/httpbin/handlers.go b/httpbin/handlers.go
index 9a4349d..e119766 100644
--- a/httpbin/handlers.go
+++ b/httpbin/handlers.go
@@ -34,7 +34,7 @@ func (h *HTTPBin) Index(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "Not Found", http.StatusNotFound)
 		return
 	}
-	w.Header().Set("Content-Security-Policy", "default-src 'self'; style-src 'unsafe-inline'")
+	w.Header().Set("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' camo.githubusercontent.com")
 	writeHTML(w, assets.MustAsset("index.html"), http.StatusOK)
 }
 
diff --git a/httpbin/handlers_test.go b/httpbin/handlers_test.go
index 9a94a02..47ed24f 100644
--- a/httpbin/handlers_test.go
+++ b/httpbin/handlers_test.go
@@ -64,7 +64,7 @@ func TestIndex(t *testing.T) {
 	handler.ServeHTTP(w, r)
 
 	assertContentType(t, w, htmlContentType)
-	assertHeader(t, w, "Content-Security-Policy", "default-src 'self'; style-src 'unsafe-inline'")
+	assertHeader(t, w, "Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' camo.githubusercontent.com")
 	assertBodyContains(t, w, "go-httpbin")
 }
 
-- 
GitLab