From e7935979a7451eb544f093f030abccf6feb2597d Mon Sep 17 00:00:00 2001
From: Timmy Willison <timmywil@users.noreply.github.com>
Date: Wed, 22 Jan 2025 22:08:53 -0500
Subject: [PATCH] All: add CSP exceptions for wordpress admins

- when the blogs are switched to use this repo's jquery theme,
  the theme will need to allow for data: images and fonts
---
 themes/jquery/functions.php | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/themes/jquery/functions.php b/themes/jquery/functions.php
index c47e85fe..2e2d5b3a 100755
--- a/themes/jquery/functions.php
+++ b/themes/jquery/functions.php
@@ -264,14 +264,12 @@ function jq_content_security_policy() {
 		// The nonce is here so inline scripts can be used in the theme
 		'style-src' => "'self' 'nonce-$nonce' code.jquery.com",
 		// data: SVG images are used in typesense
-		'img-src' => "'self' data: code.jquery.com",
+		// Allow gravatars in wordpress admins
+		'img-src' => "'self' data: secure.gravatar.com code.jquery.com",
 		'connect-src' => "'self' typesense.jquery.com",
-		'font-src' => "'self'",
+		// Allow data fonts for the wordpress admins
+		'font-src' => "'self' data:",
 		'object-src' => "'none'",
-		'media-src' => "'self'",
-		'frame-src' => "'self'",
-		'child-src' => "'self'",
-		'form-action' => "'self'",
 		'frame-ancestors' => "'none'",
 		'base-uri' => "'self'",
 		'block-all-mixed-content' => '',