diff options
author | Gustav Eek <gustav.eek@fripost.org> | 2018-12-30 10:26:10 +0100 |
---|---|---|
committer | Gustav Eek <gustav.eek@fripost.org> | 2018-12-30 10:26:10 +0100 |
commit | 151ef6437bc2194252f53713f6567e02963c1f7a (patch) | |
tree | a57f41c33f1403b1d50449221751302ad867bfce /tracker/CSP_too_strict.mdwn | |
parent | 25395abcb95f1c75950b9f28e68ef2b10d32dba3 (diff) | |
parent | f7e3f97b71fa71b5880f31f1ea66e35e181a9711 (diff) |
Merge branch 'master' into contact-procedure-update
Diffstat (limited to 'tracker/CSP_too_strict.mdwn')
-rw-r--r-- | tracker/CSP_too_strict.mdwn | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/tracker/CSP_too_strict.mdwn b/tracker/CSP_too_strict.mdwn new file mode 100644 index 0000000..308754d --- /dev/null +++ b/tracker/CSP_too_strict.mdwn @@ -0,0 +1,15 @@ +On firefox 45, remote images are not shown in the webmail because of the CSP: + +``` +Content Security Policy: The page's settings blocked the loading of a resource at https://sendy.nitrokey.com/uploads/1431348652.png ("img-src https://mail.fripost.org"). +``` + +Oh wait, that's weird: it seems to block data-urls too: + +``` +Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ("img-src https://mail.fripost.org"). +``` + +I'm not too excited about allowing browsers to load images from arbitrary sources, but [did it anyway](https://git.fripost.org/fripost-ansible/commit/?id=c90ae1fe9d40a0271844d321a7a54ee219735ccf) with the hope that roundcube's anti-XSS filter is good enough. +I've also checked with the [Email Privacy Tester](https://emailprivacytester.com/) that other external resources blocked by the CSP are probably malicious. +[[closed]]. -- [[guilhem]] |