From 69309c437e5415a34ce363194043126b5ade91bb Mon Sep 17 00:00:00 2001
From: CalDescent <caldescent@protonmail.com>
Date: Tue, 1 Mar 2022 20:36:34 +0000
Subject: [PATCH] Tightened up the content security policy for non HTML files.

---
 src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java b/src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java
index b824e7fd..2e11cb48 100644
--- a/src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java
+++ b/src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java
@@ -128,7 +128,7 @@ public class ArbitraryDataRenderer {
                 // Regular file - can be streamed directly
                 File file = new File(filePath);
                 FileInputStream inputStream = new FileInputStream(file);
-                response.addHeader("Content-Security-Policy", "default-src 'self' 'unsafe-inline'; media-src 'self' blob:");
+                response.addHeader("Content-Security-Policy", "default-src 'self'");
                 response.setContentType(context.getMimeType(filename));
                 int bytesRead, length = 0;
                 byte[] buffer = new byte[10240];