From 83f77030a25bbe6748a9f696430d10ce7a27af3c Mon Sep 17 00:00:00 2001
From: Christoph Reiter <reiter.christoph@gmail.com>
Date: Thu, 4 Jun 2020 13:26:19 +0200
Subject: [PATCH] Add "blob:" "data:" to the img-src CSP
We get warnings for them from pdfjs, while everything seems to work without
it better allow them.
---
assets/.htaccess.ejs | 2 +-
rollup.config.js | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/assets/.htaccess.ejs b/assets/.htaccess.ejs
index 2b2e57d..b61fde8 100644
--- a/assets/.htaccess.ejs
+++ b/assets/.htaccess.ejs
@@ -4,7 +4,7 @@ DirectoryIndex <%= getUrl(name + '.html') %>
</FilesMatch>
Header set Cache-Control "must-revalidate, max-age=60"
-Header set Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at <%= keyCloakServer %> <%= entryPointURL %> httpbin.org www.handy-signatur.at <%= pdfAsQualifiedlySigningServer %>; img-src *"
+Header set Content-Security-Policy "default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at <%= keyCloakServer %> <%= entryPointURL %> httpbin.org www.handy-signatur.at <%= pdfAsQualifiedlySigningServer %>; img-src * blob: data:"
# Apache adds a "-gzip" suffix to the etag when it uses gzip but doesn't
# take that into account when receiving requests.
diff --git a/rollup.config.js b/rollup.config.js
index f0784a1..efdc307 100644
--- a/rollup.config.js
+++ b/rollup.config.js
@@ -322,7 +322,7 @@ Dependencies:
historyApiFallback: basePath + pkg.name + '.html',
https: USE_HTTPS ? generateTLSConfig() : false,
headers: {
- 'Content-Security-Policy': `default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at ${keyCloakServer} ${entryPointURL} httpbin.org www.handy-signatur.at ${pdfAsQualifiedlySigningServer} ; img-src *`
+ 'Content-Security-Policy': `default-src 'self' 'unsafe-eval' 'unsafe-inline' analytics.tugraz.at ${keyCloakServer} ${entryPointURL} httpbin.org www.handy-signatur.at ${pdfAsQualifiedlySigningServer} ; img-src * blob: data:`
},
}) : false
]
--
GitLab