Commento with out of the box patches and updates to add useful features and fixes. Also with one-click deploy to Heroku so you can get up and running fast.
MIT License
389
stars
62
forks
source link
Consider to stop loading icons using data:image because of CSP security issues #126
Hello!
I have been a happy commento user for a weeks now.
Today I was busy implementing CSP on my website. I thought I fixed everything for commento, but there were still some issues:
commento tries to a load around 5 images like this:
which is this image:
This is not allowed because my CSP headers for
img-src
only containsself
andhttps://commento.mydomain.com
.In order to allow those images to load, I would need to add
data:
as an allowed origin for images, which can be considered unsafe.I would prefer these images to be real images (png/webp/jpg/gif/whatever) so they would be part of the existing
img-src
policies.