Fix CSP img-src directive to allow everything without proxy

backend/app/rest/api/rest.go

@@ -624,9 +624,9 @@ func cacheControl(expiration time.Duration, version string) func(http.Handler) h
 func securityHeadersMiddleware(imageProxyEnabled bool, allowedAncestors []string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			imgSrc := "'self'"
+			imgSrc := "*"
 			if imageProxyEnabled {
-				imgSrc = "*"
+				imgSrc = "'self'"
 			}
 			frameAncestors := "*"
 			if len(allowedAncestors) > 0 {

backend/app/rest/api/rest_test.go

@@ -345,6 +345,31 @@ func TestRest_frameAncestors(t *testing.T) {
 	assert.Contains(t, resp.Header.Get("Content-Security-Policy"), "frame-ancestors *;")
 }
 
+// check CSP, img-src should be 'self' with proxy enabled and * without it
+func TestRest_securityHeaders(t *testing.T) {
+	ts, _, teardown := startupT(t)
+
+	// with proxy disabled
+	client := http.Client{}
+	resp, err := client.Get(ts.URL + "/web/index.html")
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Contains(t, resp.Header.Get("Content-Security-Policy"), "img-src *;")
+	teardown()
+
+	// check CSP with proxy enabled
+	ts, _, teardown = startupT(t, func(srv *Rest) {
+		srv.ExternalImageProxy = true
+	})
+	defer teardown()
+	resp, err = client.Get(ts.URL + "/web/index.html")
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Contains(t, resp.Header.Get("Content-Security-Policy"), "img-src 'self';")
+}
+
 func TestRest_subscribersOnly(t *testing.T) {
 	paidSubUser := &token.User{}
 	paidSubUser.SetPaidSub(true)