From 1ebc2c59d6d802fa85884bcba209eae29d53cfa8 Mon Sep 17 00:00:00 2001
From: hehoon <100522372+hehoon@users.noreply.github.com>
Date: Mon, 15 Dec 2025 12:58:00 +0100
Subject: [PATCH 1/2] Allow `blob:` in img-src CSP

---
 Framework/Backend/http/server.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Framework/Backend/http/server.js b/Framework/Backend/http/server.js
index d17405de9..9d3088b3b 100644
--- a/Framework/Backend/http/server.js
+++ b/Framework/Backend/http/server.js
@@ -156,6 +156,7 @@ class HttpServer {
       directives: {
         /* eslint-disable */
         defaultSrc: ["'self'", "data:", hostname + ':*'],
+        imgSrc: ["'self'", "data:", "blob:"],
         scriptSrc: ["'self'", ...(allow ? ["'unsafe-eval'"] : [])],
         styleSrc: ["'self'", "'unsafe-inline'"],
         connectSrc: ["'self'", 'http://' + hostname + ':' + port, 'https://' + hostname, 'wss://' + hostname, 'ws://' + hostname + ':' + port],

From ca2fa050ab666e7c9165ab06709e6746296c0515 Mon Sep 17 00:00:00 2001
From: George Raduta <george.raduta@cern.ch>
Date: Wed, 7 Jan 2026 11:06:18 +0100
Subject: [PATCH 2/2] Use config param for allowing

---
 Framework/Backend/http/server.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Framework/Backend/http/server.js b/Framework/Backend/http/server.js
index 9d3088b3b..9d3df82b8 100644
--- a/Framework/Backend/http/server.js
+++ b/Framework/Backend/http/server.js
@@ -135,8 +135,9 @@ class HttpServer {
    * @param {number} config.port secure port number
    * @param {list} config.iframeCsp list of URLs for frame-src CSP
    * @param {boolean} config.allow allow unsafe-eval in CSP
+   * @param {boolean} config.allowIframeCsp allow iframe embedding from given URLs
    */
-  configureHelmet({ hostname, port, iframeCsp = [], allow = false }) {
+  configureHelmet({ hostname, port, iframeCsp = [], allow = false, allowIframeCsp = false }) {
     // Sets "X-Frame-Options: DENY" (doesn't allow to be in any iframe)
     this.app.use(helmet.frameguard({ action: 'deny' }));
     // Sets "Strict-Transport-Security: max-age=5184000 (60 days) (stick to HTTPS)
@@ -156,7 +157,7 @@ class HttpServer {
       directives: {
         /* eslint-disable */
         defaultSrc: ["'self'", "data:", hostname + ':*'],
-        imgSrc: ["'self'", "data:", "blob:"],
+        ...(allowIframeCsp && { imgSrc: ["'self'", "data:", "blob:"] }),
         scriptSrc: ["'self'", ...(allow ? ["'unsafe-eval'"] : [])],
         styleSrc: ["'self'", "'unsafe-inline'"],
         connectSrc: ["'self'", 'http://' + hostname + ':' + port, 'https://' + hostname, 'wss://' + hostname, 'ws://' + hostname + ':' + port],