summaryrefslogtreecommitdiffstats
path: root/tracker/CSP_too_strict.mdwn
diff options
context:
space:
mode:
Diffstat (limited to 'tracker/CSP_too_strict.mdwn')
-rw-r--r--tracker/CSP_too_strict.mdwn15
1 files changed, 15 insertions, 0 deletions
diff --git a/tracker/CSP_too_strict.mdwn b/tracker/CSP_too_strict.mdwn
new file mode 100644
index 0000000..308754d
--- /dev/null
+++ b/tracker/CSP_too_strict.mdwn
@@ -0,0 +1,15 @@
+On firefox 45, remote images are not shown in the webmail because of the CSP:
+
+```
+Content Security Policy: The page's settings blocked the loading of a resource at https://sendy.nitrokey.com/uploads/1431348652.png ("img-src https://mail.fripost.org").
+```
+
+Oh wait, that's weird: it seems to block data-urls too:
+
+```
+Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ("img-src https://mail.fripost.org").
+```
+
+I'm not too excited about allowing browsers to load images from arbitrary sources, but [did it anyway](https://git.fripost.org/fripost-ansible/commit/?id=c90ae1fe9d40a0271844d321a7a54ee219735ccf) with the hope that roundcube's anti-XSS filter is good enough.
+I've also checked with the [Email Privacy Tester](https://emailprivacytester.com/) that other external resources blocked by the CSP are probably malicious.
+[[closed]]. -- [[guilhem]]
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-15 13:28:12 +0000