Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix broken find token image in HTTP #3635

Merged
merged 2 commits into from
Apr 12, 2024
Merged

Fix broken find token image in HTTP #3635

merged 2 commits into from
Apr 12, 2024

Conversation

JamesNK
Copy link
Member

@JamesNK JamesNK commented Apr 12, 2024
edited
Loading

Fixes #3603

If the website is http then allow http or https images.
If the website is https then only allow https images.

Working:

image

Microsoft Reviewers: Open in CodeFlow

@JamesNK JamesNK mentioned this pull request Apr 12, 2024
Closed
@JamesNK
Copy link
Member Author

JamesNK commented Apr 12, 2024

/backport to release/8.0

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/8.0: https://github.com/dotnet/aspire/actions/runs/8656686212

@github-actions github-actions bot mentioned this pull request Apr 12, 2024
Merged
@tlmii
Copy link
Member

tlmii commented Apr 12, 2024
edited
Loading

Given that we don't have any external images, would just doing 'self' (or 'self' data:) be better?

@JamesNK
Copy link
Member Author

JamesNK commented Apr 12, 2024

'self' would have been simpler.

IMO the PR as it is works and could allow external images if needed by a feature at some point. I think we go with this for now. Change more if needed.

@kvenkatrajan
Copy link
Member

Approved and thanks for the tests. Just wondering if any XSS concerns with any external site when we specify https

@danmoseley
Copy link
Member

We missed the snap anyway, if @tlmii you believe you need to modify this there is time.

@JamesNK
Copy link
Member Author

JamesNK commented Apr 12, 2024
edited
Loading

Approved and thanks for the tests. Just wondering if any XSS concerns with any external site when we specify https

No. An image can't be used to run scripts.

@JamesNK JamesNK merged commit e56c56e into main Apr 12, 2024
8 checks passed
@JamesNK JamesNK deleted the jamesnk/images-http-csp branch April 12, 2024 06:16
@github-actions github-actions bot locked and limited conversation to collaborators May 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@davidfowl davidfowl davidfowl approved these changes

@kvenkatrajan kvenkatrajan kvenkatrajan approved these changes

@drewnoakes drewnoakes Awaiting requested review from drewnoakes

@tlmii tlmii Awaiting requested review from tlmii

@adamint adamint Awaiting requested review from adamint

Assignees
No one assigned
Labels
area-dashboard
Projects
None yet
Milestone
No milestone
5 participants
@JamesNK @tlmii @kvenkatrajan @danmoseley @davidfowl