[OGUI-1861] Allow blob: in img-src CSP

Framework/Backend/http/server.js

@@ -135,8 +135,9 @@
    * @param {number} config.port secure port number
    * @param {list} config.iframeCsp list of URLs for frame-src CSP
    * @param {boolean} config.allow allow unsafe-eval in CSP
+   * @param {boolean} config.allowIframeCsp allow iframe embedding from given URLs
    */
-  configureHelmet({ hostname, port, iframeCsp = [], allow = false }) {
+  configureHelmet({ hostname, port, iframeCsp = [], allow = false, allowIframeCsp = false }) {
     // Sets "X-Frame-Options: DENY" (doesn't allow to be in any iframe)
     this.app.use(helmet.frameguard({ action: 'deny' }));
     // Sets "Strict-Transport-Security: max-age=5184000 (60 days) (stick to HTTPS)
@@ -156,6 +157,7 @@
       directives: {
         /* eslint-disable */
         defaultSrc: ["'self'", "data:", hostname + ':*'],
+        ...(allowIframeCsp && { imgSrc: ["'self'", "data:", "blob:"] }),
         scriptSrc: ["'self'", ...(allow ? ["'unsafe-eval'"] : [])],
         styleSrc: ["'self'", "'unsafe-inline'"],
         connectSrc: ["'self'", 'http://' + hostname + ':' + port, 'https://' + hostname, 'wss://' + hostname, 'ws://' + hostname + ':' + port],
@@ -301,7 +303,7 @@
    * Adds POST route using express router, the path will be prefix with "/api"
    * By default verifies JWT token unless public options is provided
    * @param {string} path         - path that the callback will be bound to
    * @param {function} callbacks   - method that handles request and response: function(req, res);
    *                                token should be passed as req.query.token;
    *                                more on req: https://expressjs.com/en/api.html#req
    *                                more on res: https://expressjs.com/en/api.html#res
@@ -316,7 +318,7 @@
    * Adds PUT route using express router, the path will be prefix with "/api"
    * By default verifies JWT token unless public options is provided
    * @param {string} path         - path that the callback will be bound to
    * @param {function} callbacks   - method that handles request and response: function(req, res);
    *                                token should be passed as req.query.token;
    *                                more on req: https://expressjs.com/en/api.html#req
    *                                more on res: https://expressjs.com/en/api.html#res
@@ -331,7 +333,7 @@
    * Adds PATCH route using express router, the path will be prefix with "/api"
    * By default verifies JWT token unless public options is provided
    * @param {string} path         - path that the callback will be bound to
    * @param {function} callbacks   - method that handles request and response: function(req, res);
    *                                token should be passed as req.query.token;
    *                                more on req: https://expressjs.com/en/api.html#req
    *                                more on res: https://expressjs.com/en/api.html#res
@@ -346,7 +348,7 @@
    * Adds DELETE route using express router, the path will be prefix with "/api"
    * By default verifies JWT token unless public options is provided
    * @param {string} path         - path that the callback will be bound to
    * @param {function} callbacks   - method that handles request and response: function(req, res);
    *                                token should be passed as req.query.token;
    *                                more on req: https://expressjs.com/en/api.html#req
    *                                more on res: https://expressjs.com/en/api.html#res
@@ -506,7 +508,7 @@
    * @todo use promises or generators to call it asynchronously!
    * @param {object} req - HTTP request
    * @param {object} res - HTTP response
    * @param {function} next - passes control to next matching route
    */
   jwtVerify(req, res, next) {
     try {