From 015d727e9b29a75fbea5f1d852d7e7e39271e305 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 6 Oct 2022 16:03:37 +0200
Subject: [PATCH] misc: add img-src CSP to fix printing on Firefox (#69958)

On firefox the CSP is applied to the printing dialog box of the browser, if it's
too restrictive it cannot print an image file.
---
 wcs/forms/common.py | 6 ++++--
 wcs/forms/root.py   | 5 ++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/wcs/forms/common.py b/wcs/forms/common.py
index b0770a1e9..acd3e267f 100644
--- a/wcs/forms/common.py
+++ b/wcs/forms/common.py
@@ -93,11 +93,13 @@ class FileDirectory(Directory):
                     raise errors.TraversalError()
             else:
                 raise errors.TraversalError()
-
         # force potential HTML upload to be used as-is (not decorated with theme)
         # and with minimal permissions
         response.filter = {}
-        response.set_header('Content-Security-Policy', 'default-src \'none\';')
+        response.set_header(
+            'Content-Security-Policy',
+            'default-src \'none\'; img-src %s;' % get_request().build_absolute_uri(),
+        )
 
         if file.content_type:
             response.set_content_type(file.content_type)
diff --git a/wcs/forms/root.py b/wcs/forms/root.py
index 653fb04fa..81945c4f1 100644
--- a/wcs/forms/root.py
+++ b/wcs/forms/root.py
@@ -1692,7 +1692,10 @@ class FormPage(Directory, FormTemplateMixin):
         # force potential HTML upload to be used as-is (not decorated with theme)
         # and with minimal permissions
         response.filter = {}
-        response.set_header('Content-Security-Policy', 'default-src \'none\';')
+        response.set_header(
+            'Content-Security-Policy',
+            'default-src \'none\'; img-src %s;' % get_request().build_absolute_uri(),
+        )
 
         if tempfile['content_type']:
             response.set_content_type(tempfile['content_type'])
-- 
2.37.2