From e38bd251d266d1de4cb1a4cde8968bbeb48d1a94 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Wed, 21 Apr 2021 17:13:52 -0700
Subject: [PATCH] Fixed image import.

---
 out.txt      | 10 ++++++++++
 webserver.js |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/out.txt b/out.txt
index 0723d945..7bc721e4 100644
--- a/out.txt
+++ b/out.txt
@@ -13,3 +13,13 @@ MeshCentral v0.8.16, Hybrid (LAN + WAN) mode.
 MeshCentral Intel(R) AMT server running on central.mesh.meshcentral.com:4433.
 MeshCentral HTTPS server running on central.mesh.meshcentral.com:443.
 Server Ctrl-C exit...
+MeshCentral HTTP redirection server running on port 80.
+MeshCentral v0.8.16, Hybrid (LAN + WAN) mode.
+MeshCentral Intel(R) AMT server running on central.mesh.meshcentral.com:4433.
+MeshCentral HTTPS server running on central.mesh.meshcentral.com:443.
+Server Ctrl-C exit...
+MeshCentral HTTP redirection server running on port 80.
+MeshCentral v0.8.16, Hybrid (LAN + WAN) mode.
+MeshCentral Intel(R) AMT server running on central.mesh.meshcentral.com:4433.
+MeshCentral HTTPS server running on central.mesh.meshcentral.com:443.
+Server Ctrl-C exit...
diff --git a/webserver.js b/webserver.js
index 8cada939..1a0e3609 100644
--- a/webserver.js
+++ b/webserver.js
@@ -5368,7 +5368,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                     'X-XSS-Protection': '1; mode=block',
                     'X-Content-Type-Options': 'nosniff',
                     'Permissions-Policy': 'interest-cohort=()', // Remove Google's FLoC Network
-                    'Content-Security-Policy': "default-src 'none'; font-src 'self'; script-src 'self' 'unsafe-inline'" + extraScriptSrc + "; connect-src 'self'" + geourl + selfurl + "; img-src 'self'" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self' mcrouter:; media-src 'self'; form-action 'self'"
+                    'Content-Security-Policy': "default-src 'none'; font-src 'self'; script-src 'self' 'unsafe-inline'" + extraScriptSrc + "; connect-src 'self'" + geourl + selfurl + "; img-src 'self' blob: data:" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self' mcrouter:; media-src 'self'; form-action 'self'"
                 };
                 if ((parent.config.settings.allowframing !== true) && (typeof parent.config.settings.allowframing !== 'string')) { headers['X-Frame-Options'] = 'sameorigin'; }
                 res.set(headers);