Allow adding "blob" as source in JSON

paragonie / csp-builder

Build Content-Security-Policy headers from a JSON file (or build them programmatically)

https://paragonie.com/projects

MIT License

543 stars 40 forks source link

Allow adding "blob" as source in JSON #17

Closed daniplaninc closed 6 years ago

daniplaninc commented 7 years ago

I would like to do this:

"img-src": { "self": true, "data": true, "blob": true },

However, the "blob":true has no effect. I can resolve this by adding it in the other way:

$csp->addSource('image-src', "blob:");

but that results in having to look at annoying error messages in the console:

As a solution I would also accept any way to remove the automatic addition of "http://blob" and "https://blob" to the source list.

paragonie-scott commented 7 years ago

This is the first I've heard of blob: being a thing. I thought only data: URIs were standard?

daniplaninc commented 7 years ago

I am using Sir Trevor, which stores an image blob on the site temporarily, that is when I get the CSP error: Refused to load the image 'blob:<image-name>' because it violates the following Content Security Policy directive: "img-src ...

blob: is listed here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src

paragonie-scott commented 6 years ago

Sorry, I missed this somehow.

This will be fixed in v2.3.0, which will be released sometime today.