Fix dropzone #159
Fix dropzone #159
Conversation
config/environment.js
Outdated
| @@ -23,7 +23,7 @@ module.exports = function(environment) { | |||
| 'script-src': '\'self\' www.google-analytics.com www.googletagmanager.com', | |||
| 'font-src': '\'self\' fonts.gstatic.com', | |||
| 'connect-src': '\'self\' sentry.io', | |||
| 'img-src': '\'self\' camo.csvalpha.nl www.google-analytics.com img.youtube.com', | |||
| 'img-src': '\'self\' camo.csvalpha.nl www.google-analytics.com img.youtube.com data:', | |||
There was a problem hiding this comment.
I am not sure if I like this, this is potentially insecure.
data: Allows data: URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
There was a problem hiding this comment.
Hmm that's true... Is there any other way to preview the uploaded images, without adding :data to the cors policy?
There was a problem hiding this comment.
Maybe blobs? Or check with dropzone itself what the recommend
There was a problem hiding this comment.
Well, it is a blob, which is set as the image source as a base64 encoded string. Don't know if there's any other way to set the image source from a blob, but then you basically have the same problem again as described on that site, don't you?
There was a problem hiding this comment.
I have created a issue with the package, wondering how other developers handle with this. FutoRicky/ember-cli-dropzonejs#112
There was a problem hiding this comment.
Great, we'll see what they'll respond with. For the time being, I removed :data from the CSP. For now we'll then at least have a working dropzone, just without preview images.
Summary
Fixes #150
Also, there was no preview shown of the uploaded images because it is shown as a base64 encoded data string which was not allowed by cors policy. That is also fixed with this PR.