allow images and media in mail via http: and https:, but remove object tags (already forbiden via CSP)

api/src/Mail.php

@@ -141,7 +141,7 @@ class Mail
 		// tidy eats away even some wanted whitespace, so we switch it off;
 		// we used it for its compacting and beautifying capabilities, which resulted in better html for further processing
 		'tidy'=>0,
-		'elements' => "* -script -meta",
+		'elements' => "* -script -meta -object",
 		'deny_attribute' => 'on*',
 		'schemes'=>'href: file, ftp, http, https, mailto, phone, tel; src: cid, data, file, ftp, http, https; *:file, http, https, cid, src',
 		'hook_tag' =>"hl_email_tag_transform",

mail/inc/class.mail_ui.inc.php

@@ -3269,11 +3269,13 @@ $filter['before']= date("d-M-Y", $cutoffdate2);
 			Api\Session::cache_control(true);
 
 			// more strict CSP for displaying mail
-			foreach(['frame-src', 'connect-src', 'manifest-src', 'media-src'] as $src)
+			foreach(['frame-src', 'connect-src', 'manifest-src'] as $src)
 			{
 				Api\Header\ContentSecurityPolicy::add($src, 'none');
 			}
 			Api\Header\ContentSecurityPolicy::add('script-src', 'self', true);	// true = remove default 'unsafe-eval'
+			Api\Header\ContentSecurityPolicy::add('img-src', 'http:');
+			Api\Header\ContentSecurityPolicy::add('media-src', ['https:','http:']);
 		}
 		// Compose the content of the frame
 		$frameHtml =