-
Notifications
You must be signed in to change notification settings - Fork 988
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP: Also allow data: for media_src #10307
Conversation
When I read https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src it says they're used for |
That's when visiting e.g. https://foreman.example.com/hosts/n095137.example.com There are also some more / other errors but I'm not sure how to fix them:
|
When you look at the network tab (like in https://content-security-policy.com/examples/blocked-csp/), do you see which resource is blocked?
https://bugzilla.mozilla.org/show_bug.cgi?id=1185685 says it's an issue with OpenSans and not something that can be resolved. |
Oh, wow, nevermind... I couldn't find anything so far but it turned out it's the noscript firefox extension... So for some reason it is causing that CSP error. Sorry :( |
Thanks for adding a conclusion what it was. At least it's a good data point. |
Currently CSP complains and doesn't load those "media" references because CSP for media_src defaults to default_src, which is "self" only. media_src also needs "data:" which is added through my commit / PR.
The error appears for example when being on a host.