Allowing CSP img-src data: scheme required. Change to blob:?

[anders-kiaer]

Please follow the general troubleshooting steps first:

• [X] You are using the latest version
• [X] You are testing using the non-minified version of html2canvas and checked any potential issues reported in the console

Bug reports:

html2canvas is working nicely with strict CSP settings (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP), except that it appears you have to allow the data: scheme in img-src, e.g. using something like:

"default-src": "self'",
"img-src": ["'self'", "data:"]

Snippet from Mozilla's documentation on img-src CSP (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src):

<scheme-source> A scheme such as http: or https:. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended):

• data: Allows data: URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
• blob: Allows blob: URIs to be used as a content source.

I'm wondering if it is feasible to use blob: instead of data:. To my knowledge, the reason Mozilla's documentation doesn't have the same explicit warning for blob: is due to the fact that blob: URLs can only be generated internally by the browser (while data: URLs can be crafted externally).

Not sure how though - one approach might be to try replacing .toDataURL occurances in the code with .toBlob, which also appears to have other benefits besides allowing blob: vs data:.

It looks like pure text etc. is already today properly captured in screenshots even without allowing data:, while e.g. properly capturing SVGs currently require data:.

Specifications:

• html2canvas version tested with: 1.0.0-rc.7
• Browser & version: Firefox, v88
• Operating system: Ubuntu

[niklasvh]

The library currently supports Firefox 3.5+, Google Chrome, Opera 12+, IE9+, Safari 6+, from which at least IE9 does not supoprt Blobs. Arguably, updating that list and dropping support for some of the older versions is long overdue, at which point use of Blob's could be evalutated.

[cattermo]

Hi! Can this be revisited? IE9 support should not be necessary any more?