Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/planet won't load images due to CSP #1257

Closed
humphd opened this issue Nov 1, 2020 · 7 comments · Fixed by #2396
Closed

/planet won't load images due to CSP #1257

humphd opened this issue Nov 1, 2020 · 7 comments · Fixed by #2396
Labels
area: back-end type: bug Something isn't working type: security Security concerns

Comments

@humphd
Copy link
Contributor

humphd commented Nov 1, 2020

We tweaked our Content Security Policy recently, and it's causing the /planet front-end to break for all images.

STR:

  1. Open https://telescope.cdot.systems, notice it displays images
  2. Open https://telescope.cdot.systems/planet in a second tab, notice you have no images

I get the following errors in the console:

In Chrome:

Content Security Policy: The page’s settings blocked the loading of a resource at https://1.bp.blogspot.com/-UbK3cE5UlpE/X55fbQ45iTI/AAAAAAAAC3s/8DrI5X9Ee2IeT6n0_FXPPctlxs50u1OMACLcBGAsYHQ/w642-h239/telescope12234.PNG (“img-src”).

In Firefox:

Refused to load the image 'https://1.bp.blogspot.com/-UbK3cE5UlpE/X55fbQ45iTI/AAAAAAAAC3s/8DrI5X9Ee2IeT6n0_FXPPctlxs50u1OMACLcBGAsYHQ/w642-h239/telescope12234.PNG' because it violates the following Content Security Policy directive: "img-src 'self' data:".

Let's update our img-src directive to be less restrictive.
@humphd humphd added type: bug Something isn't working area: back-end type: security Security concerns labels Nov 1, 2020
@zg3d
Copy link
Contributor

zg3d commented Nov 10, 2020

Hey, can I work on this issue?

@humphd
Copy link
Contributor Author

humphd commented Nov 10, 2020

@zg3d all yours.

@zg3d
Copy link
Contributor

zg3d commented Nov 10, 2020
edited
Loading

@humphd I think this is not an issue and has been fixed in a previous commit 6433ac0

@humphd
Copy link
Contributor Author

humphd commented Nov 10, 2020

@zg3d awesome, thank you for confirming.

@humphd humphd closed this as completed Nov 10, 2020
@zg3d
Copy link
Contributor

zg3d commented Nov 15, 2020
edited
Loading

@humphd the code in app.js in the current repo is accurate however when i check with a csp Evaluator in the current dev build. The https src in image-src is not shown or used ending up with the above console error.

telescope/src/backend/web/app.js

Line 31 in b3ea971

imgSrc: ["'self'", 'data:', 'https:'],

image

@zg3d zg3d reopened this Nov 15, 2020
@humphd
Copy link
Contributor Author

humphd commented Nov 15, 2020

We should probably fix up our CSP in a few ways. These online evaluators flag a couple of different things. @zg3d do you want to work on this or leave for someone else?

@zg3d zg3d removed their assignment Nov 15, 2020
@zg3d
Copy link
Contributor

zg3d commented Nov 15, 2020

Ill leave it for someone else as I am unsure of the interaction here.

@Metropass Metropass self-assigned this Feb 18, 2021
@humphd humphd mentioned this issue Oct 31, 2021
Merged
8 tasks
@humphd humphd linked a pull request Oct 31, 2021 that will close this issue
Add a planet microservice #2396
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: back-end type: bug Something isn't working type: security Security concerns
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add a planet microservice manekenpix/telescope
3 participants
@humphd @zg3d @Metropass