Fix/csp 3.x (#3069)

* fix: send CSP header to make Fauxotn work fully

Co-authored-by: Robert Newson <rnewson@apache.org>

* Remove accidental chttpd_auth.erl.orig commit

2 files changed, 2 insertions, 2 deletions

diff --git a/src/chttpd/src/chttpd_misc.erl b/src/chttpd/src/chttpd_misc.erl
index ffb5295b5..830fea378 100644
--- a/src/chttpd/src/chttpd_misc.erl
+++ b/src/chttpd/src/chttpd_misc.erl
@@ -105,7 +105,7 @@ handle_utils_dir_req(Req, _) ->
     send_method_not_allowed(Req, "GET,HEAD").
 
 maybe_add_csp_headers(Headers, "true") ->
-    DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; "
+    DefaultValues = "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; "
                     "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
     Value = config:get("csp", "header_value", DefaultValues),
     [{"Content-Security-Policy", Value} | Headers];
diff --git a/src/chttpd/test/eunit/chttpd_csp_tests.erl b/src/chttpd/test/eunit/chttpd_csp_tests.erl
index e86436254..b80e3fee6 100644
--- a/src/chttpd/test/eunit/chttpd_csp_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_csp_tests.erl
@@ -56,7 +56,7 @@ should_not_return_any_csp_headers_when_disabled(Url) ->
 
 should_apply_default_policy(Url) ->
     ?_assertEqual(
-        "default-src 'self'; img-src 'self' data:; font-src 'self'; "
+        "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; "
         "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
         begin
             {ok, _, Headers, _} = test_request:get(Url),