search

configuration-fyi / configuration

Community driven comparison of modern open source configuration management languages, patterns and solutions.
https://configuration.fyi/
Apache License 2.0
9 stars 1 forks source link

Explicitly define img-src CSP #9

Closed RiRa12621 closed 4 years ago

RiRa12621 commented 4 years ago

This fixes #8 by explicitly defining the img-src CSP.

This is only an issue on Firefox because it needs explicit definition of CSPs. When reviewing that content on Chrome it gets obvious: img-src is not explicitly defined, so we have a fallback to default-src.

Refused to load the image 'data:image/svg+xml,%3csvg viewBox='0 0 30 30' xmlns='http://www.w3.org/2000/svg'%3e%3cpath stroke='rgba(255, 255, 255, 0.5)' stroke-width='2' stroke-linecap='round' stroke-miterlimit='10' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

While checking this with the csp evaluator it shows that sooner or later we should look into the script source as well but this fixes a UI issue for now.

RiRa12621 commented 4 years ago

Seems we were hitting https://bugzilla.mozilla.org/show_bug.cgi?id=1262842 had to explicitly define the style-src

bwplotka commented 4 years ago

Nice :muscle:

Ah this security (: