The contacts menu doesn’t show avatars and the URL for the mail.svg shows as a “broken image”. The developer console shows this error (for avatar image, similar for mail.svg):
Refused to load the image 'http://%domain%/remote.php/dav/addressbooks/system/system/system/LDAP:%some-key%.vcf?photo&size=32' because it violates the following Content Security Policy directive: "img-src 'self' data: blob:".
When I inspect the element, I see the absolute URL is in the src attribute:
<div class="contact">
<img src="http://%domain%/remote.php/dav/addressbooks/system/system/system/LDAP:%some-key%.vcf?photo&size=32" class="avatar" srcset="http://%domain%/remote.php/dav/addressbooks/system/system/system/LDAP:%some-key%.vcf?photo&size=32 1x, http://%domain%/remote.php/dav/addressbooks/system/system/system/LDAP:%some-key%.vcf?photo&size=64 2x, http://%domain%/remote.php/dav/addressbooks/system/system/system/LDAP:%some-key%.vcf?photo&size=128 4x" alt="">
<div class="body">
<div class="full-name">%name%</div>
<div class="last-message"></div>
</div>
<a class="top-action" href="mailto:%email%" title="" data-original-title="%email%">
<img src="http://%domain%/core/img/actions/mail.svg" alt="%email%"></a>
</div>
If I edit out the http://%domain% in the DOM, the images show up. Seems like the absolute URL is getting generated somewhere it shouldn’t be. Is this a bug or configuration problem?