View Issue Details

IDProjectCategoryView StatusLast Update
0020874mantisbtuipublic2023-10-31 16:36
Reportervboctor Assigned Tovboctor  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Product Version1.3.0-beta.2 
Target Version2.27.0 
Summary0020874: Content Security Policy blocked embedded images added by Chrome Extension
Description

The content security policy that we have in place blocks images embedded in the html whether they are embedded by a plugin or by a Chrome extension. The case where I hit this issue where the a chrome extension that added an integration button but the image (which was embedded as background image in css) was blocked.

The fix for this specific case is to whitelist "data:" as per the stackoverflow thread below?

http://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28

We can do the following:

  1. Ask administrator to update code to add their CSP.
  2. Add a config option that enables admin to whitelist sources.
  3. Add an event to enable plugins to whitelist their own sources. Gravatar's plugin approach overrides previous header as per my understanding rather than complements it.

I personally think 2 and 3 should be implemented. What are the thoughts of also enabling "data:" by default?

@dregad and @atrol what are your thoughts?

Tagsmantishub

Activities

atrol

atrol

2016-05-05 05:17

developer   ~0053072

Last edited: 2017-03-02 05:03

  1. Add a config option that enables admin to whitelist sources.

Didn't try, but the existing option custom_headers might be enough for it

What are the thoughts of also enabling "data:" by default?

Don't have time to check all details for that. Might mean less security out of the box, thus should be a decision of the administrator.