vector/index.html: Allow fetching blob and data urls from script #25335
Conversation
|
Thanks for opening this pull request, unfortunately we do not accept contributions from the main branch of your fork, please re-open once you switch to an alternative branch for everyone's sanity. See https://github.com/matrix-org/matrix-js-sdk/blob/develop/CONTRIBUTING.md |
github-actions
bot
added
the
Z-Community-PR
| @@ -28,7 +28,7 @@ | |||
| style-src 'self' 'unsafe-inline' <%= csp_extra_source %>; | |||
| script-src 'self' 'wasm-unsafe-eval' https://www.recaptcha.net/recaptcha/ https://www.gstatic.com/recaptcha/ <%= csp_extra_source %>; | |||
| img-src * blob: data:; | |||
| connect-src *; | |||
| connect-src * blob: data:; | |||
There was a problem hiding this comment.
This likely has security implications - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src - it might create an XSS vulnerability around anchors pointing at executable blobs
There was a problem hiding this comment.
But this is required to retrieve the data from script... No chance to do this?
And, I can't understand your XSS vulnerability and I can't find anything about this in the link provided :( My poor knowledge about web 🤣
For matrix-org/matrix-react-sdk#10851
Checklist
Works with this matrix-react-sdk pr
This PR currently has none of the required changelog labels.
A reviewer can add one of:
T-Deprecation,T-Enhancement,T-Defect,T-Taskto indicate what type of change this is, or addType: [enhancement/defect/task]to the description and I'll add them for you.