From 3db02c5d645d81976908e386001876bdc31b87f8 Mon Sep 17 00:00:00 2001 From: Michael Ludlow Date: Fri, 2 Jan 2026 02:30:21 -0500 Subject: [PATCH] fix(csp): allow external HTTPS images in Content-Security-Policy (#549) * fix(csp): allow external HTTPS images in Content-Security-Policy Update img-src directive to include 'https:' allowing images from external services like Supabase Storage to load in GitHub issue previews. This enables automated pipelines (e.g., TestFlight feedback to GitHub issues) that host screenshots on external storage to display correctly within Auto Claude. Fixes image loading for: - Supabase Storage URLs - Any other HTTPS-hosted images in GitHub issues Before: img-src 'self' data: blob: After: img-src 'self' data: blob: https: * fix(csp): narrow img-src to specific trusted domains Per reviewer feedback, replaced blanket https: with explicit whitelist: - https://*.githubusercontent.com (GitHub images/avatars) - https://*.supabase.co (Supabase Storage for TestFlight feedback) This addresses security concerns while maintaining the use case. Co-authored-by: adryserage --------- Co-authored-by: adryserage Co-authored-by: Alex <63423455+AlexMadera@users.noreply.github.com> --- apps/frontend/src/renderer/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/frontend/src/renderer/index.html b/apps/frontend/src/renderer/index.html index f538c2f6..4d4d0550 100644 --- a/apps/frontend/src/renderer/index.html +++ b/apps/frontend/src/renderer/index.html @@ -3,7 +3,7 @@ - +