From 95fe2d4e86a824cc8380f69a7d5d43032b5cd629 Mon Sep 17 00:00:00 2001
From: Maarten Balliauw <maarten@maartenballiauw.be>
Date: Fri, 13 Feb 2026 08:33:46 +0100
Subject: [PATCH] Expand Content Security Policy to allow data URIs and SVGs
 for images.

---
 src/Pages/SecurityHeadersAttribute.cs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Pages/SecurityHeadersAttribute.cs b/src/Pages/SecurityHeadersAttribute.cs
index 2e1302f..f3e8334 100644
--- a/src/Pages/SecurityHeadersAttribute.cs
+++ b/src/Pages/SecurityHeadersAttribute.cs
@@ -34,8 +34,11 @@ public override void OnResultExecuting(ResultExecutingContext context)
             // also an example if you need client images to be displayed from twitter
             // csp += "img-src 'self' https://pbs.twimg.com;";
             
+            // Images / SVGs
+            csp += "img-src 'self' data: w3.org/svg/2000;";
+            
             // Google Fonts
-            csp += "font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com";
+            csp += "font-src 'self' fonts.gstatic.com; style-src 'self' fonts.googleapis.com;";
 
             // once for standards compliant browsers
             if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))