CSP information missing for table sort icons

[stitch]

Documentation issue

The documentation tells that sort icons in b-table are data:... elements. But there is no CSP information on how to get that image correctly in a strict CSP policy. Thus loading the sort icon will fail.

For the default sort-icon using the below options does not yield into a rendered image and allowing data: unsafe-eval is not a sane option. So how to get it into the CSP so it renders, while still being secure?

The solution, afaik, would be to add a hash to the csp of the inline data. Or to use a different approach of rendering the image. Yet i cannot find the right way to embed it. This yields a puzzle and a waste of time for any developer wanting to implement CSP + bootstrap-vue. Therefore adding something about CSP and inline images to the docs would help a lot.

These don't work as image-src or default src, which are hashes of the data: part of the embedded image.

• 'sha256-LAObbcEPp+5U9o5fIz779N9z3guKgRka52VpJrSqDwU='
• 'sha256-fq8ekYbBw9I1CtszoKJEKH16dI9BTrcDfJsYPxF7Pdc='
• 'sha256-3m1gCsEzsIUxAhwpbQML9qGqPYrvTrvqXn4DmnXl9c8='

Is there a specific documentation page you are reporting?

https://bootstrap-vue.org/docs/components/table#customizing-the-sort-icons

[stitch]

I'm seeing some answer here that states that the usage of img-src data: is fine, but it still feels off. See https://security.stackexchange.com/questions/94993/is-including-the-data-scheme-in-your-content-security-policy-safe/167244#167244

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contribution.

[stale[bot]]

Closing this issue after a prolonged period of inactivity. If this issue is still present in the latest release, please create a new issue with up-to-date information. Thank you!