Remove localhost attribute in the `img-src` CSP directive — radicle-desktop

rad:z4D5UCArafTzTQpDZNQRuqswh3ury

Radicle desktop app

Remove localhost attribute in the `img-src` CSP directive

Merged did:key:z6MkkfM3...sVz5 opened 1 year ago

By restricting img-src in our CSP, we weren’t allowing images from e.g. https://github.com like CI badges to display.

We can eventually look at it again in the future but I think users will try to embed pictures from lots of places in their comments, descriptions, etc.

Activity Changes +0 -0

did:key:z6MkkfM3...sVz5 opened with revision 3871367e on base 557e96f9 +1 -1 1 year ago

By restricting img-src in our CSP, we weren’t allowing images from e.g. https://github.com like CI badges to display.

We can eventually look at it again in the future but I think users will try to embed pictures from lots of places in their comments, descriptions, etc.

rudolfs commented on revision 1 1 year ago

I still don’t see the github badges when I build the app for production based on this patch.

did:key:z6MkkfM3...sVz5 pushed revision 2 5502a32f on base 924130ce +1 -1 1 year ago

Instead of only removing attributes, in this revision I put the https: attribute to the img-src directive which should allow users to display any image from a https scheme. Also rebased the patch.

did:key:z6MkkfM3...sVz5 commented on revision 2 1 year ago

@rudolfs, this is ready for a review

rudolfs accepted 1 year ago

rudolfs pushed revision 3 096abc76 on base 9632d61d +1 -1 1 year ago

Rebase.

rudolfs merged revision 096abc76 at 5dd75959 1 year ago