-
-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax the Content-Security-Policy to allow mailto:
links in the Kiwix Serve iframe
#1090
Comments
As there are plenty of other protocols, like This may be a separate issue, or this issue could be generalized to deal with custom protocols as well as |
Thinking about it, comparing the protocols / URI Scheme could be problematic in a few situations:
Second bullet-point above can be dealt with by using the EDIT: Apart from |
This relates to issue #1138 on Kiwix Tools. Most links that are not considered secure are blocked by the CSP and/or sandbox, and that includes
mailto:
links, which are blocked in Chromium browsers (whereas they seem not be blocked by Firefox). This also affects Kiwix JS Browser Extension and the PWA.I have determined (in the PWA) that relaxing the CSP for the content in the iframe should fix this. All that is needed is to add
mailto:
to the list of exceptions in theinternalServer.cpp
code. I am pretty sure it won't be necessary to alter the CSP of the outer document, but that would need testing. The code is here:https://github.com/kiwix/libkiwix/blob/main/src/server/internalServer.cpp#L1110
A Zimit2 ZIM with a
maitlo:
link is given in the linked issue for testing.The text was updated successfully, but these errors were encountered: