From 5bba3dac82744843f74c3756bb069f0be0734ff6 Mon Sep 17 00:00:00 2001
From: HeySora <contact@heysora.net>
Date: Tue, 14 Jan 2025 13:27:26 +0100
Subject: [PATCH] Automatically add favicon host to CSP if present

---
 snappymail/v/0.0.0/app/libraries/RainLoop/Api.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php
index f73d0017e..685821507 100644
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Api.php
@@ -42,6 +42,12 @@ public static function getCSP(?string $sScriptNonce = null) : \SnappyMail\HTTP\C
 		$CSP->report = $oConfig->Get('security', 'csp_report', false);
 		$CSP->report_only = $oConfig->Get('debug', 'enable', false); // || SNAPPYMAIL_DEV
 
+		// Allow favicon host, if present
+		$parsedFaviconUrl = parse_url($oConfig->Get('webmail', 'favicon_url', ''));
+		if (is_array($parsedFaviconUrl) && array_key_exists('host', $parsedFaviconUrl)) {
+			$CSP->add('img-src', $parsedFaviconUrl['host']);
+		}
+
 		// Allow https: due to remote images in e-mails or use proxy
 		if (!$oConfig->Get('labs', 'use_local_proxy_for_external_images', '')) {
 			$CSP->add('img-src', 'https:');