blob: 2b27eff3b9a6d6bb74c997fd1a4ee89fb4b0a8f4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
On firefox 45, remote images are not shown in the webmail because of the CSP:
```
Content Security Policy: The page's settings blocked the loading of a resource at https://sendy.nitrokey.com/uploads/1431348652.png ("img-src https://mail.fripost.org").
```
Oh wait, that's weird: it seems to block data-urls too:
```
Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ("img-src https://mail.fripost.org").
```
I'm not excited about allowing browsers to load images from arbitrary sources, but hopefully roundcube's anti-XSS filter is good enough. I've also checked with the [Email Privacy Tester](https://emailprivacytester.com/)
that other external ressources blocked by the CSP are probably malicious. Let's call that [done](https://git.fripost.org/fripost-ansible/commit/?id=c90ae1fe9d40a0271844d321a7a54ee219735ccf). -- [[guilhem]]
|