Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-21266

Default Content Security Policy should whitelist blob scheme

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 8.10
    • Fix Version/s: 8.10-HF01, 9.1
    • Component/s: Preview, Security

      Description

      According to latest CSP specifications the '*' source wildcard only applies to network schemes (ftp and http(s)) thus not including other schemes like blob: or data: which cause issues, i.e. with PDF including embedded images viewed with pdf.js.

      Users should still be able to override our default CSP contribution (which is recommended anyway) and use:

      <header name="Content-Security-Policy">default-src * blob:; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *</header>

        Attachments

          Issue Links

          depends on

          Bug - A problem which impairs or prevents the functions of the product. NXP-19627 Configurable Content-Security-Policy header

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: