CSP prevents loading of all images

[sgrigson]

Steps to reproduce the problem

1. Update to latest Glitch-Soc
2. All images are broken
   ...

Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data: blob: <URL>".

Expected behaviour

Images should load

Actual behaviour

CSP blocks loading of all images

Detailed description

No response

Mastodon instance

oliphant.social

Mastodon version

v4.3.0-alpha.0+glitch

Technical details

If this is happening on your own Mastodon server, please fill out those:

• Ruby version: ruby 3.2.2 (2023-03-30 revision e51014f9c0) [x86_64-linux]
• Node.js version: v20.9.0

[sgrigson]

Fix:

mastodon@oliphant:~/live$ git checkout glitch-soc/main~2
Previous HEAD position was 769ab0ce47 Merge pull request #2475 from ClearlyClaire/glitch-soc/cleanup
HEAD is now at c34a3a83e1 Merge pull request #2471 from ClearlyClaire/glitch-soc/cleanup

Once I did that and did another bundle install && yarn install as well as precompile and restart, everything was golden again.

[Plastikmensch]

Are you using external media storage by chance?

I just loaded the new policy and it is working fine for me.
I'm not familiar enough with CSP to really pinpoint the issue or suggest a fix.

[eallion]

I use Docker and host media files on Cloudflare R2. I have watchtower set up to automatically update the Docker images nightly. This was working fine yesterday, but today I started getting CSP errors.

[Plastikmensch]

Ugh, Cloudflare...

Seems that the new CSP doesn't properly allow external media storage then :/