From 16ca734271e54c04efc0c9075e543d16960f0834 Mon Sep 17 00:00:00 2001
From: LC mac <leochan@hkjin.com>
Date: Sat, 31 Jan 2026 02:17:02 +0800
Subject: [PATCH] fix: allow blob: URLs for QR scanner CSP - Update img-src
 directive in _headers to include blob: - QR image upload now works in Restore
 tab - Maintain strict connect-src 'none' security

---
 public/_headers | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/_headers b/public/_headers
index f97313c..146475c 100644
--- a/public/_headers
+++ b/public/_headers
@@ -1,5 +1,5 @@
 /*
-  Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none'; form-action 'none'; base-uri 'self';
+  Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'none'; form-action 'none'; base-uri 'self';
   X-Frame-Options: DENY
   X-Content-Type-Options: nosniff
   X-XSS-Protection: 1; mode=block