diff options
author | guilhem <guilhem@web> | 2016-04-07 19:20:07 +0200 |
---|---|---|
committer | Fripost Admins <admin@fripost.org> | 2016-04-07 19:20:07 +0200 |
commit | 8ca6c89b6f0148ce0f320e7c784e2c1bee929ad1 (patch) | |
tree | 17363d38d950c1d9da6c3face0edbc485bd136a1 | |
parent | 49504f2d0e8bfb55f72ca9d29bb3ab29810e182a (diff) |
done
-rw-r--r-- | tracker/CSP_too_strict.mdwn | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/tracker/CSP_too_strict.mdwn b/tracker/CSP_too_strict.mdwn index c195584..2b27eff 100644 --- a/tracker/CSP_too_strict.mdwn +++ b/tracker/CSP_too_strict.mdwn @@ -9,3 +9,6 @@ Oh wait, that's weird: it seems to block data-urls too: ``` Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ("img-src https://mail.fripost.org"). ``` + +I'm not excited about allowing browsers to load images from arbitrary sources, but hopefully roundcube's anti-XSS filter is good enough. I've also checked with the [Email Privacy Tester](https://emailprivacytester.com/) +that other external ressources blocked by the CSP are probably malicious. Let's call that [done](https://git.fripost.org/fripost-ansible/commit/?id=c90ae1fe9d40a0271844d321a7a54ee219735ccf). -- [[guilhem]] |