Remove `'self'` from CSP img-src if possible

mozilla / addons

☂ Umbrella repository for Mozilla Addons ✨

Other

125 stars 41 forks source link

Remove `'self'` from CSP img-src if possible #2099

Open diox opened 2 years ago

diox commented 2 years ago

Our CSP in addons-frontend allows images loaded from 'self' (on top of data:, https://addons.mozilla.org/static-frontend/, https://addons.mozilla.org/static-server/ and GA which we want) . Figure out why and whether we could remove that.

┆Issue is synchronized with this Jira Task

KevinMind commented 4 months ago

Old Jira Ticket: https://mozilla-hub.atlassian.net/browse/ADDFRNT-19

diox commented 1 week ago

Only other image I can think of is the favicon... See also https://bugzilla.mozilla.org/show_bug.cgi?id=1735994 (Chrome doesn't care: https://chromium-review.googlesource.com/c/chromium/src/+/2438388)