QR Code image fails to load

JaneJeon / blink

Modern, lightweight, planet-scale link shortener for teams 🎉

https://docs.blink.rest

GNU Affero General Public License v3.0

279 stars 27 forks source link

QR Code image fails to load #782

Closed mp-strachan closed 1 year ago

mp-strachan commented 1 year ago

Disclaimers

[x] Before filing this report, I have read the documentation fully and followed it.
[x] I understand that if the "issue" is something that is already answered by the documentation and/or are caused by me not reading the documentation, the issue will be blocked and/or locked (with the implicit explanation being to "go read the docs"), and I may not be able to open another issue for this repository ever again.

Issue Description

Describe the bug QR Codes do not load in (at creation of a link, or accessing the link later)

Deployment Method Docker-compose behind Traefik proxy

Refused to load the image '{{ image data }}' because it violates the following Content Security Policy directive: "img-src 'self' *.unsplash.com".

Additional context IMG element is blocked by Content Security Policy.

Validated that the data within the img src is valid PNG data, so QR code is being generated correctly. Rules in ./middleware/security.js seem to prevent loading the image(s).

Cannot replicate if running on localhost - only when hosted with FQDN.

JaneJeon commented 1 year ago

First of all, thanks for the clear report. Really appreciate it a lot.

And yeah, seems like the CSP needs to be changed. To me, what seems to be going on is that I have CSP set (using mostly helmet) and the QR codes are loaded as data: URLs (that's how we display it as images), which does not pass the CSP check (literally just a whitelist check).

I think adding data: to the list of exceptions would solve this issue just fine (https://stackoverflow.com/a/18449556) BUT there's no way to really test this in CI (I'll add that maybe later, but atm I'm on a medical leave so the range of what I can do and test currently is limited).

So I'm going to change the img-src directive in the ./middleware/security.js as you suggested, publish the change (it will be published as the :latest or :1.3.1, and please deploy that latest version and see if that fixes the issue, then let me know whether that works or not.

JaneJeon commented 1 year ago

Okay, the 1.3.1 release is out: https://github.com/JaneJeon/blink/releases/tag/v1.3.1

And all of the images (latest, v1.3.1, v1.3, v1) are updated: https://github.com/JaneJeon/blink/pkgs/container/blink

Please try the updated version and see if it fixes your issue.

JaneJeon commented 1 year ago

@mp-strachan hello, I was wondering if the fix addresses your issue? It should be just as simple as updating your docker image.

JaneJeon commented 1 year ago

Hi, as the fix has been pushed and there's been no reply, I'm going to assume that the issue was resolved and close the issue.

If it isn't, please feel free to comment here again and I'll re-open up the issue.