From ee63fd402fafd976c46437fe8054c2932071cb10 Mon Sep 17 00:00:00 2001
From: Punam Dahiya <punamdahiya@yahoo.com>
Date: Wed, 28 Nov 2018 18:38:42 -0800
Subject: [PATCH] Fixes #5223 - Settings page fails to  display account avatar

---
 server/src/config.js | 7 +++++++
 server/src/server.js | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/server/src/config.js b/server/src/config.js
index 958c5099b9..b129b4512f 100644
--- a/server/src/config.js
+++ b/server/src/config.js
@@ -99,6 +99,13 @@ const conf = convict({
       env: "FXA_CLIENT_SECRET",
       arg: "fxa-client-secret",
     },
+    profileImageServer: {
+      doc: "Firefox Account user avatar url",
+      format: String,
+      default: "https://firefoxusercontent.com",
+      env: "FXA_PROFILE_IMAGE_URI",
+      arg: "fxa-profile-image-uri",
+    },
   },
   db: {
     user: {
diff --git a/server/src/server.js b/server/src/server.js
index 4baa31ebeb..bd60d21a0b 100644
--- a/server/src/server.js
+++ b/server/src/server.js
@@ -118,6 +118,7 @@ const SITE_CDN = (config.siteCdn && (new URL(config.siteCdn)).host) || "";
 const CONTENT_NAME = config.contentOrigin || "";
 const CONTENT_CDN = (config.contentCdn && (new URL(config.contentCdn)).host) || "";
 const FXA_SERVER = config.fxa.profileServer && require("url").parse(config.fxa.profileServer).host;
+const FXA_USER_CONTENT = config.fxa.profileImageServer || "";
 
 function addHSTS(req, res) {
   // Note: HSTS will only produce warning on a localhost self-signed cert
@@ -1220,7 +1221,7 @@ app.use((req, res, next) => {
       if (!DO_NOT_SEND_CSP) {
         res.header(
           "Content-Security-Policy",
-          `default-src 'self'; img-src 'self' ${FXA_SERVER} www.google-analytics.com ${SITE_CDN} ${CONTENT_CDN} ${CONTENT_NAME} data:; script-src 'self' ${SITE_CDN} www.google-analytics.com 'nonce-${uuid}'; style-src 'self' ${SITE_CDN} 'unsafe-inline' https://code.cdn.mozilla.net; connect-src 'self' ${SITE_CDN} ${CONTENT_CDN} www.google-analytics.com ${dsn}; font-src https://code.cdn.mozilla.net; frame-ancestors 'none'; object-src 'none';`);
+          `default-src 'self'; img-src 'self' ${FXA_SERVER} ${FXA_USER_CONTENT} www.google-analytics.com ${SITE_CDN} ${CONTENT_CDN} ${CONTENT_NAME} data:; script-src 'self' ${SITE_CDN} www.google-analytics.com 'nonce-${uuid}'; style-src 'self' ${SITE_CDN} 'unsafe-inline' https://code.cdn.mozilla.net; connect-src 'self' ${SITE_CDN} ${CONTENT_CDN} www.google-analytics.com ${dsn}; font-src https://code.cdn.mozilla.net; frame-ancestors 'none'; object-src 'none';`);
       }
       res.header("X-Frame-Options", "DENY");
       next();