Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP: Also allow data: for media_src #10307

Closed
wants to merge 1 commit into from
Closed

CSP: Also allow data: for media_src #10307

wants to merge 1 commit into from

Conversation

idl0r
Copy link

@idl0r idl0r commented Sep 2, 2024

Currently CSP complains and doesn't load those "media" references because CSP for media_src defaults to default_src, which is "self" only. media_src also needs "data:" which is added through my commit / PR.
The error appears for example when being on a host.

@ekohl
Copy link
Member

ekohl commented Sep 3, 2024

When I read https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src it says they're used for <audio> and <video> but I don't think we use those elements now. Can you share a reproducer where it fails?

@idl0r
Copy link
Author

idl0r commented Sep 3, 2024

When I read https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src it says they're used for <audio> and <video> but I don't think we use those elements now. Can you share a reproducer where it fails?

Content-Security-Policy: The page’s settings blocked the loading of a resource (media-src) at data: because it violates the following directive: “default-src 'self'”

That's when visiting e.g. https://foreman.example.com/hosts/n095137.example.com
It just links to the source of that URL so nothing else helpful, no link to the exact location / position etc. :(
Applying the mentioned change fixes the error.

There are also some more / other errors but I'm not sure how to fix them:

downloadable font: kern: Too large subtable (font-family: "Open Sans" style:normal weight:700 stretch:100 src index:3) source: https://foreman.example.com/assets/OpenSans-Bold-webfont-895ed3b017b8c886c1f6be929d261f4be5e9b276651c9a3ee6243593feafb9f4.woff2 
downloadable font: Table discarded (font-family: "Open Sans" style:normal weight:700 stretch:100 src index:3) source: https://foreman.example.com/assets/OpenSans-Bold-webfont-895ed3b017b8c886c1f6be929d261f4be5e9b276651c9a3ee6243593feafb9f4.woff2          
downloadable font: kern: Too large subtable (font-family: "Open Sans" style:normal weight:600 stretch:100 src index:3) source: https://foreman.example.com/assets/OpenSans-Semibold-webfont-71a1e28d3ed5cc266e61a4f55273cab7103c9cd3f6fc6322f0f3d71fcece088a.woff2                                                                                                                                                                                                                                                            
downloadable font: Table discarded (font-family: "Open Sans" style:normal weight:600 stretch:100 src index:3) source: https://foreman.example.com/assets/OpenSans-Semibold-webfont-71a1e28d3ed5cc266e61a4f55273cab7103c9cd3f6fc6322f0f3d71fcece088a.woff2      
downloadable font: kern: Too large subtable (font-family: "Open Sans" style:normal weight:400 stretch:100 src index:3) source: https://foreman.example.com/assets/OpenSans-Regular-webfont-033af09d86f3c23dc9c310da82a44903e933bf1eb9736e9910e22df9e8caa1d1.woff2                                                                                                                                                                                                                                                             
downloadable font: Table discarded (font-family: "Open Sans" style:normal weight:400 stretch:100 src index:3) source: https://foreman.example.com/assets/OpenSans-Regular-webfont-033af09d86f3c23dc9c310da82a44903e933bf1eb9736e9910e22df9e8caa1d1.woff2

@ekohl
Copy link
Member

ekohl commented Sep 3, 2024

Content-Security-Policy: The page’s settings blocked the loading of a resource (media-src) at data: because it violates the following directive: “default-src 'self'”

That's when visiting e.g. https://foreman.example.com/hosts/n095137.example.com
It just links to the source of that URL so nothing else helpful, no link to the exact location / position etc. :(
Applying the mentioned change fixes the error.

When you look at the network tab (like in https://content-security-policy.com/examples/blocked-csp/), do you see which resource is blocked?

There are also some more / other errors but I'm not sure how to fix them:

https://bugzilla.mozilla.org/show_bug.cgi?id=1185685 says it's an issue with OpenSans and not something that can be resolved.

@idl0r
Copy link
Author

idl0r commented Sep 3, 2024

Oh, wow, nevermind... I couldn't find anything so far but it turned out it's the noscript firefox extension... So for some reason it is causing that CSP error. Sorry :(

@idl0r idl0r closed this Sep 3, 2024
@idl0r idl0r deleted the patch-1 branch September 3, 2024 13:57
@ekohl
Copy link
Member

ekohl commented Sep 3, 2024

Thanks for adding a conclusion what it was. At least it's a good data point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Not yet reviewed Waiting on contributor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@idl0r @ekohl