0020874: Content Security Policy blocked embedded images added by Chrome Extension

ID	Project	Category	View Status	Date Submitted	Last Update

0020874	mantisbt	ui	public	2016-05-04 21:45	2021-01-05 18:59

Reporter	vboctor	Assigned To	vboctor
Priority	normal	Severity	minor	Reproducibility	always
Status	assigned	Resolution	open
Product Version	1.3.0-beta.2
Target Version	2.26.0

Summary	0020874: Content Security Policy blocked embedded images added by Chrome Extension
Description	The content security policy that we have in place blocks images embedded in the html whether they are embedded by a plugin or by a Chrome extension. The case where I hit this issue where the a chrome extension that added an integration button but the image (which was embedded as background image in css) was blocked. The fix for this specific case is to whitelist "data:" as per the stackoverflow thread below? http://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 We can do the following: Ask administrator to update code to add their CSP. Add a config option that enables admin to whitelist sources. Add an event to enable plugins to whitelist their own sources. Gravatar's plugin approach overrides previous header as per my understanding rather than complements it. I personally think 2 and 3 should be implemented. What are the thoughts of also enabling "data:" by default? @dregad and @atrol what are your thoughts?
Tags	mantishub

atrol 2016-05-05 05:17 developer ~0053072 Last edited: 2017-03-02 05:03	Add a config option that enables admin to whitelist sources. Didn't try, but the existing option custom_headers might be enough for it What are the thoughts of also enabling "data:" by default? Don't have time to check all details for that. Might mean less security out of the box, thus should be a decision of the administrator.