Content-Security-Policy: allow images from data: URLs

getodk / central

ODK Central is a server that is easy to use, very fast, and stuffed with features that make data collection easier. Contribute and make the world a better place! ✨🗄✨

https://docs.getodk.org/central-intro/

Apache License 2.0

126 stars 155 forks source link

Content-Security-Policy: allow images from data: URLs #772

Closed alxndrsn closed 1 week ago

alxndrsn commented 1 week ago

QR displayed in odk-central-frontend are displayed with src=data:...

Closes #629

matthew-white commented 1 week ago

Tagging @lognaturel, since I think she reviewed the original CSP.

lognaturel commented 1 week ago

Changed the base to next. @alxndrsn could you please keep the PR checklist that has a reminder about target branch?

alxndrsn commented 1 week ago

We need * for arbitrary images embedded in markdown descriptions and data for the QR codes.

I think it would be helpful to add this as a comment, but commenting every one of these rules would get out of hand quite quickly :thinking:

lognaturel commented 1 week ago

I think what you've done with the commit message is great! If we have questions we can use git to see what was going on.

I always try to leave a note of what I think about when I do a review also for archaeology purposes.