fix(security): Prestoui restrict img-src wildcard in CSP

[adkharat]

Description

Medium Dynamic scan CSV's issues flagged by ZAP.

1. CSP: Wildcard Directive

• CWE-693
• OWASP_2021_A05
• OWASP_2017_A06

Motivation and Context

(1) CSP: Wildcard Directive

Issue: CSP has a very broad img-src:

Removing http: https: eliminates scheme-wide allowances that permitted any external image host, closing the “wildcard/broad img-src” finding. Only images served from the UI origin or inline data URIs will load; everything else is blocked by the browser.
This directly addresses the reported CSP issue because the Content-Security-Policy header sent by the coordinator UI is the enforcement point; tightening the directive stops untrusted external image sources.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Fix CSP by removing `img-src 'http: https:'` in response to `CWE-693 <https://cwe.mitre.org/data/definitions/693.html>`_. :pr:`25910`

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Tightens the default Content-Security-Policy (CSP) for the Web UI by removing broad HTTP/HTTPS allowances from the img-src directive so that only self and data URLs are permitted for images.

Sequence diagram for Web UI request with updated CSP img-src policy

sequenceDiagram
    actor User
    participant Browser
    participant PrestoCoordinator

    User->>Browser: Navigate to WebUI URL
    Browser->>PrestoCoordinator: HTTP GET /ui
    PrestoCoordinator-->>Browser: HTML + CSP header
    Browser->>Browser: Parse CSP
    Browser->>PrestoCoordinator: Request images from self
    PrestoCoordinator-->>Browser: Serve images from self
    Browser->>ExternalImageHost: Attempt to load external images (http/https)
    ExternalImageHost-->>Browser: Image response
    Browser->>Browser: Block external images due to CSP img-src 'self' data:
    Browser->>Browser: Allow only self and data images to render

Loading

File-Level Changes

Change	Details	Files
Harden Web UI Content-Security-Policy img-src directive to remove wildcard-like HTTP/HTTPS allowances.	Updated the DEFAULT_WEBUI_CSP string constant to drop http: and https: from the img-src directive, leaving only 'self' and data: sources for images. Preserved all other CSP directives (default-src, style-src, font-src, frame-ancestors, form-action) unchanged to minimize behavioral impact while addressing the security finding.	presto-main/src/main/java/com/facebook/presto/server/CoordinatorModule.java

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[nishithakbhaskaran]

Can you help me understand how do the change fixes the issue

[nishithakbhaskaran]

Also you can change the title something like fix(security): ..........

[adkharat]

Can you help me understand how do the change fixes the issue

Removing http: https: eliminates scheme-wide allowances that permitted any external image host, closing the “wildcard/broad img-src” finding. Only images served from the UI origin or inline data URIs will load; everything else is blocked by the browser.
This directly addresses the CSP issue because the Content-Security-Policy header sent by the coordinator UI is the enforcement point; tightening the directive stops untrusted external image sources.

[nishithakbhaskaran]

Thanks for the fix @adkharat . LGTM!

[ajaykickdevops]

@yhwang and @tdcmeehan Can you please review the PR.

[prestodb-ci]

@unidevel imported this issue as lakehouse/presto #26790

[unidevel]

LGTM