~sircmpwn/sr.ht-discuss

2 2

setting CSP "img-src: https:;" breaks embedded images

Details
Message ID
<17b1e00e3e6fc76f.11b6474b30d22688.40264f8e989a4668@yoga>
DKIM signature
pass
Download raw message
After `aa82be3` [1], images embedded as base64 via `data:` URIs do not
work anymore. Before, `img-src` was not set, so it followed
`default-src` which includes `data:`. However, now that `img-src` is set
explicitly to only `https:`, this does not work anymore. I would assume
that `'self'` should be added as well, to have relative paths work, but
I haven't tested if that is necessary. 

Is this intentional, or can we set `img-src: 'self' https: data:;`?

[1]: https://git.sr.ht/~sircmpwn/pages.sr.ht/commit/27e1f6de8474c31f3e161ee633393c1d757878de

-- 
Knut Magnus Aasrud
Details
Message ID
<CYZOT1QAN3I1.39HZBFP2DHXVA@taiga>
In-Reply-To
<17b1e00e3e6fc76f.11b6474b30d22688.40264f8e989a4668@yoga> (view parent)
DKIM signature
pass
Download raw message
I'm fine with allowing data: urls, can you send a patch with the
appropriate fix?
Details
Message ID
<17b1e31ec4034ba2.11b6474b30d22688.40264f8e989a4668@yoga>
In-Reply-To
<CYZOT1QAN3I1.39HZBFP2DHXVA@taiga> (view parent)
DKIM signature
pass
Download raw message
> I'm fine with allowing data: urls, can you send a patch with the
> appropriate fix?

Sure! Just sent a patch [1].

[1]: https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/49280
Reply to thread Export thread (mbox)