From 669f679fbc0ac1764eccaaf0295ce1aa81d36ff2 Mon Sep 17 00:00:00 2001
From: ralf <rb@egroupware.org>
Date: Mon, 13 Jun 2022 13:19:54 +0200
Subject: [PATCH] change our CSP to allow data: for connect-src, which is used
 by Shoelace to "load" icons

---
 api/js/etemplate/Styles/shoelace.ts      | 20 --------------------
 api/src/Header/ContentSecurityPolicy.php |  3 +++
 2 files changed, 3 insertions(+), 20 deletions(-)

diff --git a/api/js/etemplate/Styles/shoelace.ts b/api/js/etemplate/Styles/shoelace.ts
index 62adfd80ef..8be1b790ca 100644
--- a/api/js/etemplate/Styles/shoelace.ts
+++ b/api/js/etemplate/Styles/shoelace.ts
@@ -14,26 +14,6 @@ registerIconLibrary('default', {
 	},
 });
 
-/**
- * Override some shoelace icons with EGroupware icons
- * In particular, the data: ones give errors with our CSP
- * hacky hack to temporarily work around until CSP issue is fixed
- *
- * @see https://my.egroupware.org/egw/index.php?menuaction=tracker.tracker_ui.edit&tr_id=68774
- */
-const egw_icons = {'chevron-down': 'arrow_down', 'x': 'close', 'x-circle-fill': 'close'}
-registerIconLibrary("system", {
-	resolver: (name) =>
-	{
-		if(egw_icons[name] && egw)
-		{
-			return `${egw.webserverUrl}/pixelegg/images/${egw_icons[name]}.svg`;
-		}
-		return "";
-	}
-});
-
-
 /**
  * Customise shoelace styles to match our stuff
  * External CSS will override this
diff --git a/api/src/Header/ContentSecurityPolicy.php b/api/src/Header/ContentSecurityPolicy.php
index a23227caba..db8677e5d6 100644
--- a/api/src/Header/ContentSecurityPolicy.php
+++ b/api/src/Header/ContentSecurityPolicy.php
@@ -80,6 +80,9 @@ class ContentSecurityPolicy
 			}
 			self::$sources[$source] = [];
 		}
+		// Shoelace needs connect-src: data:
+		if ($source === 'connect-src') /** @noinspection UnsupportedStringOffsetOperationsInspection */ $attrs[] = 'data:';
+
 		foreach((array)$attrs as $attr)
 		{
 			if (in_array($attr, array('none', 'self', 'unsafe-eval', 'unsafe-inline')))