search

grundic / teamcity-avatar

Plugin for displaying user avatars in Teamcity
13 stars 4 forks source link

Gravatar cannot be loaded with TeamCity 2019.1 #12

Open agross opened 5 years ago

agross commented 5 years ago

TeamCity 2019.1 RC seems to issue a Content Security Policy that makes it impossible to load images from other domains. The following is logged for the TeamCity main screen:

Refused to load the image 'https://www.gravatar.com/avatar/418efad95977c2314e8fecff04f7bb41.jpg?d=404' because it violates the following Content Security Policy directive: "img-src 'self' data: http://127.0.0.1:63330 http://127.0.0.1:63331 http://127.0.0.1:63332 http://127.0.0.1:63333 http://127.0.0.1:63334 http://127.0.0.1:63335 http://127.0.0.1:63336 http://127.0.0.1:63337 http://127.0.0.1:63338 http://127.0.0.1:63339"

I'm running TC behind nginx but nginx does not modify CSP headers. Perhaps the plugin needs to add its image domains to TeamCity's builtin CSP.

kir commented 5 years ago

There are internal properties and new OpenAPI for that: https://twitter.com/maxkir/status/1131836759795478528

kir commented 5 years ago

So the fixed value for the internal property could be frame-ancestors 'self';default-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';connect-src 'self' ws: wss:;img-src 'self' data: https://www.gravatar.com;font-src 'self' data:

agross commented 5 years ago

I'm going to test this for a few weeks:

teamcity.web.header.Content-Security-Policy.protectedValue=frame-ancestors 'self';default-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;connect-src 'self' ws: wss:;img-src 'self' https://www.gravatar.com;font-src 'self' data: https://fonts.gstatic.com
teamcity.web.header.Content-Security-Policy.adminUI.protectedValue=frame-ancestors 'self';default-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;connect-src 'self' ws: wss:;img-src 'self' https://www.gravatar.com;font-src 'self' data: https://fonts.gstatic.com
Vampire commented 4 years ago

Not only Gravatar, also other domains, like taking the avatars from our jira users. :-(

Vampire commented 4 years ago

Please use the http://javadoc.jetbrains.net/teamcity/openapi/current/jetbrains/buildServer/web/ContentSecurityPolicyConfig.html API to fix this properly without the need to set internal properties.