feat: add external images support via CSP configuration

[inercia]

Summary

Add support for displaying external images in agent responses by configuring CSP (Content Security Policy) headers.

Fixes #21

Changes

Configuration

• Add \ config option (default: )
• Add \ struct with accessor methods

Backend

• Modify CSP middleware to conditionally add \ to \ directive
• Pass external images config from server to CSP middleware

Frontend

• Add toggle in Settings dialog to show current state (read-only, reflects config)

Documentation

• Add \ section to \
• Update \ with CSP details
• Add example in \

Security Considerations

• Default is secure: External images are blocked by default
• HTTPS only: Only \ URLs are allowed (not )
• Opt-in: Requires explicit configuration to enable

Testing

• Unit tests for \ methods
• Unit tests for CSP generation with/without external images
• Comprehensive Playwright tests verifying:
  • CSP blocks external images when disabled (default)
  • CSP allows external images when enabled
  • Browser console shows CSP violation when blocked

[Copilot]

Pull request overview

Adds a new configuration-driven way to allow loading external (HTTPS) images in rendered messages by extending the web UI’s CSP img-src directive, with corresponding config plumbing, UI surface area, and documentation.

Changes:

• Introduces conversations.external_images.enabled config (default disabled) with accessor helpers and parsing/tests.
• Updates CSP nonce middleware to optionally include https: in img-src and wires the config into server startup.
• Adds Settings dialog toggle plus documentation updates describing the feature and privacy/security implications.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
web/static/components/SettingsDialog.js	Loads/saves conversations.external_images.enabled and adds an “Allow External Images” toggle in Advanced UI settings.
internal/web/server.go	Reads external-images setting from config and passes it into CSP middleware options.
internal/web/csp_nonce.go	Builds img-src directive dynamically based on allowExternalImages.
internal/web/csp_nonce_test.go	Adds unit coverage for CSP generation with external images enabled/disabled.
internal/config/config.go	Adds ExternalImagesConfig, integrates it into ConversationsConfig, and parses YAML into the new field.
internal/config/config_test.go	Adds unit tests for new config helpers and YAML parsing.
docs/config/web/README.md	Updates security-headers docs to explicitly mention CSP affects scripts and images and links to external-images config.
docs/config/conversations.md	Documents external image blocking rationale and how to enable it.
config/config.default.yaml	Documents the new external_images option in the default config template.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[inercia]

Review Comments Addressed

Thank you for the thorough review! I've addressed all 4 comments in commit ac9ec0c:

Changes Made:

1. server.go (line 513) - The CSP middleware captures allowExternalImages at startup, so changes require restart. This is now clearly communicated in the UI.

2. SettingsDialog.js (line 753) - Added "(requires restart)" to the external images toggle description, following the same pattern used by other settings like "Native notifications" and "Show in all Spaces".

3. SettingsDialog.js (line 2426) - The toggle remains editable so users can save their preference, but the description now clearly states "(requires restart)" so users understand when the change takes effect.

4. docs/config/conversations.md - Updated to say "Save your settings and restart Mitto for the change to take effect" instead of "refresh the page".

The approach follows the existing pattern in the Settings dialog where macOS-specific settings that require restart (native notifications, show in all Spaces) include "(requires restart)" in their description text.