Closed mp-strachan closed 1 year ago
First of all, thanks for the clear report. Really appreciate it a lot.
And yeah, seems like the CSP needs to be changed. To me, what seems to be going on is that I have CSP set (using mostly helmet) and the QR codes are loaded as data:
URLs (that's how we display it as images), which does not pass the CSP check (literally just a whitelist check).
I think adding data:
to the list of exceptions would solve this issue just fine (https://stackoverflow.com/a/18449556) BUT there's no way to really test this in CI (I'll add that maybe later, but atm I'm on a medical leave so the range of what I can do and test currently is limited).
So I'm going to change the img-src
directive in the ./middleware/security.js
as you suggested, publish the change (it will be published as the :latest
or :1.3.1
, and please deploy that latest version and see if that fixes the issue, then let me know whether that works or not.
Okay, the 1.3.1 release is out: https://github.com/JaneJeon/blink/releases/tag/v1.3.1
And all of the images (latest, v1.3.1, v1.3, v1) are updated: https://github.com/JaneJeon/blink/pkgs/container/blink
Please try the updated version and see if it fixes your issue.
@mp-strachan hello, I was wondering if the fix addresses your issue? It should be just as simple as updating your docker image.
Hi, as the fix has been pushed and there's been no reply, I'm going to assume that the issue was resolved and close the issue.
If it isn't, please feel free to comment here again and I'll re-open up the issue.
Disclaimers
Issue Description
Describe the bug QR Codes do not load in (at creation of a link, or accessing the link later)
Deployment Method Docker-compose behind Traefik proxy
Refused to load the image '{{ image data }}' because it violates the following Content Security Policy directive: "img-src 'self' *.unsplash.com".
Additional context IMG element is blocked by Content Security Policy.
Validated that the data within the img src is valid PNG data, so QR code is being generated correctly. Rules in
./middleware/security.js
seem to prevent loading the image(s).Cannot replicate if running on localhost - only when hosted with FQDN.