From 6d22356caf4a0e40d3390379c8870478a2d45d75 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Mon, 30 Jul 2018 23:56:09 -0400
Subject: [PATCH] allow gravatar in CSP

---
 util/Setup/NginxConfigBuilder.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/util/Setup/NginxConfigBuilder.cs b/util/Setup/NginxConfigBuilder.cs
index d3782eccd..195891248 100644
--- a/util/Setup/NginxConfigBuilder.cs
+++ b/util/Setup/NginxConfigBuilder.cs
@@ -13,7 +13,8 @@ namespace Bit.Setup
             "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:" +
             "AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
         private const string ContentSecurityPolicy =
-            "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; " +
+            "default-src 'self'; style-src 'self' 'unsafe-inline'; " +
+            "img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
             "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
             "connect-src 'self' https://haveibeenpwned.com https://api.pwnedpasswords.com;";