Fix content-security-policy disable
If one sets the XSS policy disable, and tries to load the webui, they're
met with the following error message:
```
chunk-vendors.6cfb4b74.js:36 Refused to load the image
'data:image/svg+xml;charset=utf-8,%3Csvg
xmlns='http://www.w3.org/2000/svg' width='4' height='5'%3E%3Cpath
fill='%233f3f3f' d='M2 0L0 2h4zm0 5L0 3h4z'/%3E%3C/svg%3E' because it
violates the following Content Security Policy directive: "img-src *".
Note that '*' matches only URLs with network schemes ('http', 'https',
'ws', 'wss'), or URLs whose scheme matches `self`'s scheme. The scheme
'data:' must be added explicitly.
```
Do as it asks, and add data: to the content security policy.
Tested: Browser console no longer shows error when XSS is enabled.
Change-Id: I17f70d7c87a284b33ef6eb5a01a01c23a14898c9
Signed-off-by: Ed Tanous <ed@tanous.net>
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index 236b367..9af494d 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -82,7 +82,7 @@
// If XSS is disabled, we need to allow loading from addresses other
// than self, as the BMC will be hosted elsewhere.
res.addHeader("Content-Security-Policy", "default-src 'none'; "
- "img-src *; "
+ "img-src * data:; "
"font-src *; "
"style-src *; "
"script-src *; "