fix(CSP): move trusted list to default-src

website/server/middlewares/index.js

@@ -69,19 +69,17 @@ export default function attachMiddlewares (app, server) {
     contentSecurityPolicy: {
       directives: {
         defaultSrc: [
-          '*.habitica.com',
           '*.amazonaws.com',
-        ],
-        imgSrc: null,
-        scriptSrc: [
-          '\'unsafe-eval\'',
           '*.habitica.com',
-          '*.amazonaws.com',
           'cloudfront.loggly.com',
           'js.stripe.com',
           'm.stripe.network',
           'static-na.payments-amazon.com',
         ],
+        imgSrc: '*',
+        scriptSrc: [
+          '\'unsafe-eval\'',
+        ],
         upgradeInsecureRequests: IS_PROD ? [] : null,
       },
     },