Allow stylesheets (Bootstrap) to embed images as data URIs

TASVideos/Extensions/ApplicationBuilderExtensions.cs

@@ -61,7 +61,7 @@ public static IApplicationBuilder UseMvcWithOptions(this IApplicationBuilder app
 			"font-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/", // CSS `font: url();` and `@font-face { src: url(); }` will be blocked unless they're from one of these domains (this also blocks nonstandard fonts installed on the system maybe)
 			"form-action 'self'", // domains allowed for `<form action/>` (POST target page)
 			"frame-src 'self' https://www.youtube.com/embed/", // allow these domains in <iframe/>
-			"img-src *", // allow hotlinking images from any domain in UGC (not great)
+			"img-src * data:", // allow hotlinking images from any domain in UGC (not great)
 			"require-trusted-types-for 'script'", // experimental, but Google seems to be pushing it: should block `HTMLScriptElement.innerHTML = "user.pwn();";`, and similarly block adding in-line scripts as attrs
 			$"script-src 'self' {string.Join(' ', trustedJsHosts)}", // `<script/>`s will be blocked unless they're from one of these domains
 			"style-src 'unsafe-inline' 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/", // allow `<style/>`, and `<link rel="stylesheet"/>` if it's from our domain or trusted CDN