Loosen the CSP a little for images.

routes/common.go

@@ -29,7 +29,7 @@ func renderTemplate(tmplName string, w http.ResponseWriter, r *http.Request, hea
 	}
 	// TODO: Expand this to non-HTTPS requests too
 	if !header.LooseCSP && common.Site.EnableSsl {
-		w.Header().Set("Content-Security-Policy", "default-src https: 'unsafe-eval'; style-src https: 'unsafe-eval' 'unsafe-inline'; img-src https: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; upgrade-insecure-requests")
+		w.Header().Set("Content-Security-Policy", "default-src https: 'unsafe-eval'; style-src https: 'unsafe-eval' 'unsafe-inline'; img-src * 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; upgrade-insecure-requests")
 	}
 	if header.CurrentUser.IsAdmin {
 		header.Elapsed1 = time.Since(header.StartedAt).String()