Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage of data: regarding Content Security Policy (CSP) #620

Open
Basssiiie opened this issue Mar 6, 2024 · 1 comment
Open

Usage of data: regarding Content Security Policy (CSP) #620

Basssiiie opened this issue Mar 6, 2024 · 1 comment

Comments

@Basssiiie
Copy link

Basssiiie commented Mar 6, 2024
edited
Loading

Hello,

We are using the image cropper in our applications and are running into an issue with our Content Security Policy. We'd like to restrict the usage of data: as it is considered an insecure protocol, but the image cropper does not like this because it contains a hardcoded image inside a data: base64 string here.

For reference, from here:

data: Allows data: URLs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URLs. Use this sparingly and definitely not for scripts.

Would it be possible to have this replaced with a safer alternative so the usage of data: can be completely banned from our applications?

Thank you very much for your time. 🙂
@Mawi137
Copy link
Owner

Mawi137 commented Apr 17, 2024

Hi

By default the image is set to an empty pixel, I don't know anymore why that is. So we can try to remove it. Feel free to try it out and open a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mawi137 @Basssiiie