View Issue Details

IDProjectCategoryView StatusLast Update
0020874mantisbtuipublic2017-03-02 05:03
ReportervboctorAssigned Tovboctor 
Status assignedResolutionopen 
Product Version1.3.0-beta.2 
Target Version2.3.0Fixed in Version 
Summary0020874: Content Security Policy blocked embedded images added by Chrome Extension

The content security policy that we have in place blocks images embedded in the html whether they are embedded by a plugin or by a Chrome extension. The case where I hit this issue where the a chrome extension that added an integration button but the image (which was embedded as background image in css) was blocked.

The fix for this specific case is to whitelist "data:" as per the stackoverflow thread below?

We can do the following:

  1. Ask administrator to update code to add their CSP.
  2. Add a config option that enables admin to whitelist sources.
  3. Add an event to enable plugins to whitelist their own sources. Gravatar's plugin approach overrides previous header as per my understanding rather than complements it.

I personally think 2 and 3 should be implemented. What are the thoughts of also enabling "data:" by default?

@dregad and @atrol what are your thoughts?





2016-05-05 05:17

developer   ~0053072

Last edited: 2017-03-02 05:03

View 2 revisions

  1. Add a config option that enables admin to whitelist sources.

Didn't try, but the existing option custom_headers might be enough for it

What are the thoughts of also enabling "data:" by default?

Don't have time to check all details for that. Might mean less security out of the box, thus should be a decision of the administrator.

Issue History

Date Modified Username Field Change
2016-05-04 21:45 vboctor New Issue
2016-05-04 21:45 vboctor Status new => assigned
2016-05-04 21:45 vboctor Assigned To => vboctor
2016-05-04 21:45 vboctor Tag Attached: mantishub
2016-05-05 05:17 atrol Note Added: 0053072
2016-06-12 02:37 atrol Target Version 1.3.0-rc.2 => 1.3.0
2016-07-10 07:57 atroladmin Target Version 1.3.0 => 1.3.1
2016-08-28 10:37 atrol Target Version 1.3.1 => 1.3.2
2016-10-02 19:36 atrol Target Version 1.3.2 => 1.3.3
2016-10-30 23:23 vboctor Target Version 1.3.3 => 1.3.4
2016-11-27 08:22 dregad Target Version 1.3.4 => 1.3.5
2016-12-30 16:24 atrol Target Version 1.3.5 => 1.3.6
2017-02-01 22:47 vboctor Target Version 1.3.6 => 1.3.7
2017-02-26 21:19 vboctor Target Version 1.3.7 => 2.3.0
2017-03-02 05:03 dregad Note Edited: 0053072 View Revisions