From cf310835956b3548aacbef8088c18f20e542e69d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire?= Date: Thu, 7 Apr 2016 14:15:58 +0200 Subject: --- tracker/CSP_too_strict.mdwn | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 tracker/CSP_too_strict.mdwn (limited to 'tracker/CSP_too_strict.mdwn') diff --git a/tracker/CSP_too_strict.mdwn b/tracker/CSP_too_strict.mdwn new file mode 100644 index 0000000..c195584 --- /dev/null +++ b/tracker/CSP_too_strict.mdwn @@ -0,0 +1,11 @@ +On firefox 45, remote images are not shown in the webmail because of the CSP: + +``` +Content Security Policy: The page's settings blocked the loading of a resource at https://sendy.nitrokey.com/uploads/1431348652.png ("img-src https://mail.fripost.org"). +``` + +Oh wait, that's weird: it seems to block data-urls too: + +``` +Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ("img-src https://mail.fripost.org"). +``` -- cgit v1.2.3 From 8ca6c89b6f0148ce0f320e7c784e2c1bee929ad1 Mon Sep 17 00:00:00 2001 From: guilhem Date: Thu, 7 Apr 2016 19:20:07 +0200 Subject: done --- tracker/CSP_too_strict.mdwn | 3 +++ 1 file changed, 3 insertions(+) (limited to 'tracker/CSP_too_strict.mdwn') diff --git a/tracker/CSP_too_strict.mdwn b/tracker/CSP_too_strict.mdwn index c195584..2b27eff 100644 --- a/tracker/CSP_too_strict.mdwn +++ b/tracker/CSP_too_strict.mdwn @@ -9,3 +9,6 @@ Oh wait, that's weird: it seems to block data-urls too: ``` Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ("img-src https://mail.fripost.org"). ``` + +I'm not excited about allowing browsers to load images from arbitrary sources, but hopefully roundcube's anti-XSS filter is good enough. I've also checked with the [Email Privacy Tester](https://emailprivacytester.com/) +that other external ressources blocked by the CSP are probably malicious. Let's call that [done](https://git.fripost.org/fripost-ansible/commit/?id=c90ae1fe9d40a0271844d321a7a54ee219735ccf). -- [[guilhem]] -- cgit v1.2.3 From e53be466f921b89ef475543434fafa5e9d89c3de Mon Sep 17 00:00:00 2001 From: guilhem Date: Thu, 7 Apr 2016 19:28:18 +0200 Subject: really close --- tracker/CSP_too_strict.mdwn | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'tracker/CSP_too_strict.mdwn') diff --git a/tracker/CSP_too_strict.mdwn b/tracker/CSP_too_strict.mdwn index 2b27eff..308754d 100644 --- a/tracker/CSP_too_strict.mdwn +++ b/tracker/CSP_too_strict.mdwn @@ -10,5 +10,6 @@ Oh wait, that's weird: it seems to block data-urls too: Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ("img-src https://mail.fripost.org"). ``` -I'm not excited about allowing browsers to load images from arbitrary sources, but hopefully roundcube's anti-XSS filter is good enough. I've also checked with the [Email Privacy Tester](https://emailprivacytester.com/) -that other external ressources blocked by the CSP are probably malicious. Let's call that [done](https://git.fripost.org/fripost-ansible/commit/?id=c90ae1fe9d40a0271844d321a7a54ee219735ccf). -- [[guilhem]] +I'm not too excited about allowing browsers to load images from arbitrary sources, but [did it anyway](https://git.fripost.org/fripost-ansible/commit/?id=c90ae1fe9d40a0271844d321a7a54ee219735ccf) with the hope that roundcube's anti-XSS filter is good enough. +I've also checked with the [Email Privacy Tester](https://emailprivacytester.com/) that other external resources blocked by the CSP are probably malicious. +[[closed]]. -- [[guilhem]] -- cgit v1.2.3