New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP causes images not to load from AWS S3 and Google Avatar #14664
Comments
II'm not really sure of the best way to account for that. Maybe add an env var for additional CSP urls. snipe-it/app/Presenters/UserPresenter.php Lines 429 to 438 in 0d4f132
We can't just accept anything, or it would defeat the purpose of the CSP in the first place. We do account for the public AWS URL tho.
|
snipe
added a commit
that referenced
this issue
May 16, 2024
Signed-off-by: snipe <[email protected]>
snipe
added a commit
that referenced
this issue
May 16, 2024
Fixed #14664 - allow additional urls in env for CSP
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Debug mode
Describe the bug
We are using S3 Buckets for storing uploaded images but they are not loaded in the browser because the URL violates the CSP
https://our-snipeit-public.s3.eu-west-1.amazonaws.com/assets/asset-image-asdafsdf.jpeg
Also Google User Avatars are not loaded because the violate the CSP
https://lh3.googleusercontent.com/a/ACg8ocJ6zs9J_VbdONsjPJHQWWsakG-XO1qpl30DAtG5fqR42_-XsaqI=s96-c
The current CSP header is:
Reproduction steps
Expected behavior
images should be loaded from those external services and blocked by CSP
Screenshots
No response
Snipe-IT Version
6.3.4
Operating System
Ubuntu, Docker
Web Server
Traefik
PHP Version
that of docker image snipe/snipe-it:v6.3.4
Operating System
No response
Browser
No response
Version
No response
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: