I'm using Lightbox2 v2.9.0 and have identified a Content Security Policy (CSP) error when loading my site on Firefox and Chrome. Lightbox2 uses a data embedded image for the .lb-nav anchor (line 94 in lightbox.css for current version 2.11.4). Without adding the data: directive to img-src in the CSP, the page blocks this image with the following error:
Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at data:image/svg+xml;base64,PHN2ZyB4bWxucz… because it violates the following directive: “img-src...
Using the data: directive leaves sites open to XSS attacks and is recommended not to use by several sites, including W3C's CSP Level 3 Working Draft. See section 6:
In either case, developers SHOULD NOT include either unsafe-inline, or data: as valid sources in their policies. Both enable XSS attacks by allowing code to be included directly in the document itself; they are best avoided completely.
Can Lightbox2's data embedded image be replaced with a local image to avoid using the risky data: directive?
Hello,
I'm using Lightbox2 v2.9.0 and have identified a Content Security Policy (CSP) error when loading my site on Firefox and Chrome. Lightbox2 uses a data embedded image for the .lb-nav anchor (line 94 in lightbox.css for current version 2.11.4). Without adding the
data:
directive toimg-src
in the CSP, the page blocks this image with the following error:Using the
data:
directive leaves sites open to XSS attacks and is recommended not to use by several sites, including W3C's CSP Level 3 Working Draft. See section 6:Can Lightbox2's data embedded image be replaced with a local image to avoid using the risky
data:
directive?