From 99cdd5b1028ef455ba277a7f034926c3816c17ae Mon Sep 17 00:00:00 2001
From: Jan Willem Mannaerts <jw.mannaerts@buckaroo.nl>
Date: Sat, 28 Feb 2026 16:56:37 +0100
Subject: [PATCH] Fix CSP: allow wp.com image proxy for Gravatar redirects

Gravatar 302 redirects to i0.wp.com for default/fallback avatars.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/src/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/src/index.js b/backend/src/index.js
index 7b38fc9..afa79dd 100644
--- a/backend/src/index.js
+++ b/backend/src/index.js
@@ -59,7 +59,7 @@ app.use((_req, res, next) => {
     "script-src 'self'",
     "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
     `connect-src 'self' wss://${isProd ? new URL(frontendUrl).host : '*'}`,
-    "img-src 'self' https://*.atl-paas.net https://*.atlassian.com https://secure.gravatar.com https://*.gravatar.com data:",
+    "img-src 'self' https://*.atl-paas.net https://*.atlassian.com https://*.gravatar.com https://*.wp.com data:",
     "font-src 'self' https://fonts.gstatic.com",
     "object-src 'none'",
     "base-uri 'self'",