From e69d7924f5c7ec5e11d4ab8f44721d38f7c0cf7e Mon Sep 17 00:00:00 2001
From: Fabian Weisshaar <elnappo@nerdpol.io>
Date: Sun, 26 May 2019 17:11:05 +0200
Subject: [PATCH] Update CSP header

---
 project_novis/callsign/views.py | 13 ++++++++++++-
 project_novis/settings.py       |  2 +-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/project_novis/callsign/views.py b/project_novis/callsign/views.py
index 1c8e3a0..53f2275 100644
--- a/project_novis/callsign/views.py
+++ b/project_novis/callsign/views.py
@@ -42,7 +42,18 @@ class DefaultPagination(LimitOffsetPagination):
     max_limit = 100
 
 
-@method_decorator(csp_update(IMG_SRC=("maps.googleapis.com", "maps.gstatic.com", "lh3.ggpht.com", "cbks0.googleapis.com", "khms0.googleapis.com", "khms1.googleapis.com"), SCRIPT_SRC=("maps.googleapis.com", "maps.gstatic.com")), name='dispatch')
+@method_decorator(csp_update(IMG_SRC=(
+    "maps.googleapis.com",  # Google Maps
+    "maps.gstatic.com",  # Google Maps
+    "cbks0.googleapis.com",
+    "khms0.googleapis.com",
+    "khms1.googleapis.com",
+    "lh3.ggpht.com",
+    "geo0.ggpht.com",  # Google Street View
+    "geo1.ggpht.com",  # Google Street View
+    "geo2.ggpht.com",  # Google Street View
+    "geo3.ggpht.com",  # Google Street View
+    ), SCRIPT_SRC=("maps.googleapis.com", "maps.gstatic.com")), name='dispatch')
 class CallsignDetailView(DetailView):
     queryset = Callsign.objects\
         .select_related("prefix") \
diff --git a/project_novis/settings.py b/project_novis/settings.py
index 18d1b56..b8a1c05 100644
--- a/project_novis/settings.py
+++ b/project_novis/settings.py
@@ -168,7 +168,7 @@ def bool_env(key, default=None):
 CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", "cdnjs.cloudflare.com", "maxcdn.bootstrapcdn.com", "piwik.nerdpol.io", "stackpath.bootstrapcdn.com")
 CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "maxcdn.bootstrapcdn.com", "cdnjs.cloudflare.com", "fonts.googleapis.com", "stackpath.bootstrapcdn.com")
 CSP_FONT_SRC = ("'self'", "fonts.googleapis.com", "fonts.gstatic.com", "maxcdn.bootstrapcdn.com", "cdnjs.cloudflare.com", "stackpath.bootstrapcdn.com")
-CSP_IMG_SRC = ("'self'", "data:", "cdnjs.cloudflare.com", "piwik.nerdpol.io", "www.gravatar.com")
+CSP_IMG_SRC = ("'self'", "data:", "cdnjs.cloudflare.com", "piwik.nerdpol.io", "www.gravatar.com", "www.gstatic.com")
 CSP_EXCLUDE_URL_PREFIXES = ("/admin/", "/api/v1/swagger/")
 
 # CORS settings