Consider to stop loading icons using data:image because of CSP security issues

[sander1095]

Hello!

I have been a happy commento user for a weeks now.

Today I was busy implementing CSP on my website. I thought I fixed everything for commento, but there were still some issues:

commento tries to a load around 5 images like this:

data:image/svg+xml;utf8,<?xml%20version=%221.0%22%20encoding=%22UTF-8%22?%3E%3Csvg%20enable-background=%22new%200%200%20284.929%20284.929%22%20version=%221.1%22%20viewBox=%220%200%20284.93%20284.93%22%20xml:space=%22preserve%22%20xmlns=%22http://www.w3.org/2000/svg%22%3E%09%3Cpath%20d=%22m282.08%20195.28-133.05-133.04c-1.901-1.903-4.088-2.856-6.562-2.856s-4.665%200.953-6.567%202.856l-133.04%20133.04c-1.906%201.906-2.856%204.093-2.856%206.568%200%202.474%200.953%204.664%202.856%206.566l14.272%2014.271c1.903%201.903%204.093%202.854%206.567%202.854s4.664-0.951%206.567-2.854l112.2-112.2%20112.21%20112.21c1.902%201.903%204.093%202.848%206.563%202.848%202.478%200%204.668-0.951%206.57-2.848l14.274-14.277c1.902-1.902%202.847-4.093%202.847-6.566%201e-3%20-2.476-0.944-4.666-2.846-6.569z%22%20fill=%22%23abbac4%22/%3E%3C/svg%3E

which is this image:

This is not allowed because my CSP headers for img-src only contains self and https://commento.mydomain.com.

In order to allow those images to load, I would need to add data: as an allowed origin for images, which can be considered unsafe.

I would prefer these images to be real images (png/webp/jpg/gif/whatever) so they would be part of the existing img-src policies.