Closed ShadyMedic closed 1 year ago
Hello! 👋 Thanks for logging this issue. Please remember we are all volunteers here, so some patience may be required before we can get to the issue. Also remember that the fastest way to get resolution on an issue is to propose a change directly, https://github.com/ankidroid/Anki-Android/wiki/Contributing
Duplicate of #6669 Would likely be fixed by #8184
Is your feature request related to a problem? Please describe. I created a simple service to allow creators of Anki decks to notify their users when an update is available.
If you have ever shared a deck, you can probably relate to this situation: You publish the
.apkg
file on whatever platform your classmates are using, they download it, import it and start using it. After a few days, you notice an incorrect information in your deck, or perhaps a sentence that can be easily misinterpretted. So you fix it, export a new.apkg
file, publish it again and write a message under it, in which you tell your classmates who imported the old version to download this new one and import it, so they can get the fixes.But, most of the classmates are not really paying attention to the platform (which is usually some kind of a group chat) and when they log in once in a while, they don't browse the older messages (including your patch of the deck). So they keep using the first version, learn incorrect information and then fail at exam (a bit of an extreme scenario, but nobody should learn incorrect things without knowing).
So I created an automatic update checker. It works easily. The deck creator inserts the following code in the decks description:
Whenever the user opens the deck to study, an HTTP request is sent to my webserver, along with the ID of the package (not the Anki-database ID, but an ID set by my service when the creator uploads the first version) and the currently installed version (both are simple ints).
My service then fetches the latest version number for the deck with the given ID, compares it with the installed version number from the request and if the installed version is a smaller number than the latest one, it responds with an "update-available" SVG image, that is displayed in the
<img>
element in the code above:The user than clicks/taps the image, that is within the
<a>
element and is taken to theMY-DOMAIN/update/PACKAGE-ID/INSTALLED-VERSION
webpage. This webpage performs one more version comparasion check (in case the deck creator forgot to update the version number in both<a>
and<img>
elements) and if the versions are not equal, the user is then redirected to the download page that the deck creator specified.If the version numbers are the same, a different SVG image is displayed in the deck description:
This all works in the desktop version of Anki (as portraied in the screenshots above), but not so much in AnkiDroid.
In AnkiDroid, I see a green square instead of the image:
I did some research and according to Bing AI, this is most likely caused by the app's Content Security Policy, which limits loading of external sources.
While I understand the need to protect users from potentionally malicious content being downloaded and displayed after simply clicking an Anki Deck, I believe that that wasn't the intended use here. Because if I use the updater HTML code on a card instead of in the deck's description, the external image loads just fine.
Describe the solution you'd like Unify the CSP rules and allow loading images from external sources in deck description.
Describe alternatives you've considered If this was intended (or if, god forbid, you disable loading external images in cards as well), could my domain get an exception from the rule? The server-side source code is open source and anyone can audit it. I'd send a link to the GitHub repo here, but I'm not sure if that wouldn't count as advertisment. Let me know if you want to see it.
TL:DR
Check the HTML code block, the first two images are its output in desktop version of Anki, the third image is its output in AnkiDroid