From 52757abdb2a97d723ab85a67d4a2056a9955956c Mon Sep 17 00:00:00 2001
From: James Dabbs <jamesdabbs@gmail.com>
Date: Thu, 28 Jul 2016 16:17:28 -0400
Subject: [PATCH] Restore some CSP defaults

The recent upgrade of rack-protect brought in some new backwards-incompatible
defaults. Notably, they break the Sidekiq web UI (see mperham/sidekiq#3070),
and could have a similar impact broadly. This should restore enough access
to get Sidekiq et al. (mostly) working.
---
 lib/sinatra/base.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
index 507719e1..5f83eb04 100644
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@@ -1691,6 +1691,10 @@ module Sinatra
       def setup_protection(builder)
         return unless protection?
         options = Hash === protection ? protection.dup : {}
+        options = {
+          img_src:  "'self' data:",
+          font_src: "'self'"
+        }.merge options
 
         protect_session = options.fetch(:session) { sessions? }
         options[:without_session] = !protect_session