From be2fb5416ed525b69a928e293595e2377c548359 Mon Sep 17 00:00:00 2001
From: Joachim Hill-Grannec <joachim.hill@gmail.com>
Date: Wed, 24 Jan 2024 08:25:01 -0600
Subject: [PATCH] fix: allow all img-src

---
 app-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app-config.yaml b/app-config.yaml
index 9048660..d77c8f0 100644
--- a/app-config.yaml
+++ b/app-config.yaml
@@ -19,7 +19,7 @@ backend:
     # host: 127.0.0.1
   csp:
     connect-src: ["'self'", 'http:', 'https:']
-    img-src: ["'self'", 'data:', 'https://avatars.githubusercontent.com']
+    img-src: ["'self'", 'data:', 'https:', 'https:']
     # Content-Security-Policy directives follow the Helmet format: https://helmetjs.github.io/#reference
     # Default Helmet Content-Security-Policy values can be removed by setting the key to false
   cors: