Added support for object urls to URLListValidator.js

SAP / openui5

OpenUI5 lets you build enterprise-ready web applications, responsive to all devices, running on almost any browser of your choice.

http://openui5.org

Apache License 2.0

2.9k stars 1.23k forks source link

Added support for object urls to URLListValidator.js #4055

Open igzThomasFrischholz opened 1 month ago

igzThomasFrischholz commented 1 month ago

URLListValidator did not support Object-URLs which lead to misbehaviour in some classes. (e.g PDFViewer could not load files from object urls)

This PR aims to fix this issue by adding a regex check and decompose into the validate method of URLListValidator.js A separate Unit-Test for the desired behavior has been added as well.

cla-assistant[bot] commented 1 month ago

All committers have signed the CLA.

flovogt commented 1 month ago

Thanks a lot for your PR. The team will have a look at it! Internally tracked via DINC0162093.

boghyon commented 1 month ago

blob: URLs are generally considered as insecure as unsafe-eval (See https://github.com/w3c/webappsec-csp/commit/0f497cbe6f28dc9698fa4dc04a91b407278f8735 and https://www.w3.org/TR/CSP2/#source-list-guid-matching) and might not be explicitly allowed by the CSP configuration set in e.g. Fiori launchpad sites.