Usage of `data:` regarding Content Security Policy (CSP)

[Basssiiie]

Hello,

We are using the image cropper in our applications and are running into an issue with our Content Security Policy. We'd like to restrict the usage of data: as it is considered an insecure protocol, but the image cropper does not like this because it contains a hardcoded image inside a data: base64 string here.

For reference, from here:

data: Allows data: URLs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URLs. Use this sparingly and definitely not for scripts.

Would it be possible to have this replaced with a safer alternative so the usage of data: can be completely banned from our applications?

Thank you very much for your time. 🙂

[Mawi137]

Hi

By default the image is set to an empty pixel, I don't know anymore why that is. So we can try to remove it. Feel free to try it out and open a PR.