Open igzThomasFrischholz opened 1 month ago
Thanks a lot for your PR. The team will have a look at it! Internally tracked via DINC0162093.
blob:
URLs are generally considered as insecure as unsafe-eval
(See https://github.com/w3c/webappsec-csp/commit/0f497cbe6f28dc9698fa4dc04a91b407278f8735 and https://www.w3.org/TR/CSP2/#source-list-guid-matching) and might not be explicitly allowed by the CSP configuration set in e.g. Fiori launchpad sites.
URLListValidator did not support Object-URLs which lead to misbehaviour in some classes. (e.g PDFViewer could not load files from object urls)
This PR aims to fix this issue by adding a regex check and decompose into the validate method of URLListValidator.js A separate Unit-Test for the desired behavior has been added as well.