From c232a418f431cd3b3fafe534ee3d485394e222fc Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Fri, 13 Oct 2023 00:14:38 +0200
Subject: [PATCH] CSP: Recognize ACE of using data: images

---
 config/initializers/content_security_policy.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index dad6c817..0c979f9f 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -39,7 +39,7 @@ Rails.application.configure do
     policy.default_src          :none
     policy.base_uri             :self
     policy.font_src             :self
-    # Code executions might return a base64 encoded image as a :data URI
+    # Code executions might return a base64 encoded image as a :data URI and ACE uses :data URIs for images
     policy.img_src              :self, :data
     policy.object_src           :none
     policy.media_src            :self