Falling back to previewUrl image src `about:blank` causing CSP violations - Githubissues

GetStream / stream-chat-react

React Chat SDK ➜ Stream Chat 💬

https://getstream.io/chat/sdk/react/

Other

703 stars 274 forks source link

Falling back to previewUrl image src `about:blank` causing CSP violations #2014

Open dillonstreator opened 1 year ago

dillonstreator commented 1 year ago

The AttachmentContainer is falling back to using an image source of about:blank for previewUrl. https://github.com/GetStream/stream-chat-react/blob/24d2a4d6cc89207ba605eb228cf362c03e2ccb66/src/components/Attachment/AttachmentContainer.tsx#L130 https://github.com/GetStream/stream-chat-react/blob/24d2a4d6cc89207ba605eb228cf362c03e2ccb66/src/components/Attachment/AttachmentContainer.tsx#L165

This can cause the following CSP violation.

img-src: csp_violation: 'about' blocked by 'img-src' directive

Can we drop this fallback and not render the image if none is provided in the default ImageComponent? https://github.com/GetStream/stream-chat-react/blob/24d2a4d6cc89207ba605eb228cf362c03e2ccb66/src/components/Gallery/Image.tsx#L43

MartinCupela commented 1 year ago

@dillonstreator thank you for reporting the issue. Could you please clarify, where those errors are logged, please?