Even though a request to index.php and/or / results in a response whose headers set a Content-Security-Policy of img-src='self' for the page in the browser, the image in question is loaded from a remote server via /assets/css/custom.css because custom.css itself is not delivered with with a Content-Security-Policy header. Every response from this web app should have Content-Security-Policy header set.
It is an insecure request to http:// and the remote web server 301 redirects the browser to request it via https://, resulting in yet another request to a remote cloudflare cdn server. These cloudflare CDN servers, as well as the origin server @ cssdeck.com can gather information about people running nodes this way. Luckily, the http referer header was not sent with either request due to a good referrer policy.
gStart9
commented
1 year ago
https://github.com/Mirobit/bitcoin-node-manager/blob/master/assets/css/custom.css#L3488
Even though a request to
index.phpand/or/results in a response whose headers set a Content-Security-Policy of img-src='self' for the page in the browser, the image in question is loaded from a remote server via/assets/css/custom.cssbecause custom.css itself is not delivered with with a Content-Security-Policy header. Every response from this web app should have Content-Security-Policy header set.It is an insecure request to http:// and the remote web server 301 redirects the browser to request it via https://, resulting in yet another request to a remote cloudflare cdn server. These cloudflare CDN servers, as well as the origin server @ cssdeck.com can gather information about people running nodes this way. Luckily, the http referer header was not sent with either request due to a good referrer policy.