From ba955800194b5d8591dee8d8c8c6cbd242603077 Mon Sep 17 00:00:00 2001
From: Henry Heino <personalizedrefrigerator@gmail.com>
Date: Mon, 14 Apr 2025 10:23:00 -0700
Subject: [PATCH] Fix loading data-url images, remote images

---
 .../gui/NoteEditor/NoteBody/TinyMCE/TinyMCE.tsx       | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/TinyMCE.tsx b/packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/TinyMCE.tsx
index e4b362bb0c..98abbefa78 100644
--- a/packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/TinyMCE.tsx
+++ b/packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/TinyMCE.tsx
@@ -731,14 +731,17 @@ const TinyMCE = (props: NoteBodyEditorProps, ref: any) => {
 				localization_function: _,
 				// See https://www.tiny.cloud/docs/tinymce/latest/tinymce-and-csp/#content_security_policy
 				content_security_policy: Setting.value('featureFlag.richText.useStrictContentSecurityPolicy') ? [
-					'default-src \'self\'',
+					// Media: *: Allow users to include images and videos from the internet (e.g. ![](http://example.com/image.png)).
+					// Media: blob: Allow loading images/videos/audio from blob URLs (for plugins)
+					// Media: data: Allow loading images and other media from data: URLs
+					'default-src \'self\' blob: data: *',
+					'frame-src \'none\'', // Should not contain sub-frames
+					'worker-src \'none\'', // Should not need web workers
 					'script-src \'self\'',
 
 					// Styles: unsafe-inline: TinyMCE uses inline style="" styles.
 					// Styles: *: Allow users to include styles from the internet (e.g. <style src="https://example.com/style.css">)
-					'style-src \'self\' \'unsafe-inline\' *',
-					// Media: *: Allow users to include images and videos from the internet (e.g. ![](http://example.com/image.png)).
-					'media-src \'self\' *',
+					'style-src \'self\' \'unsafe-inline\' * data:',
 				].join(' ; ') : undefined,
 				contextmenu: false,
 				browser_spellcheck: true,