Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vector/index.html: Allow fetching blob and data urls from script #25335

Closed
wants to merge 1 commit into from

Conversation

SuperKenVery
Copy link
Contributor

@SuperKenVery SuperKenVery commented May 11, 2023

For matrix-org/matrix-react-sdk#10851

Checklist

  • Tests written for new code (and old code if feasible)
  • Linter and other CI checks pass
  • Sign-off given on the changes (see CONTRIBUTING.md)

Works with this matrix-react-sdk pr


This PR currently has none of the required changelog labels.

A reviewer can add one of: T-Deprecation, T-Enhancement, T-Defect, T-Task to indicate what type of change this is, or add Type: [enhancement/defect/task] to the description and I'll add them for you.

@SuperKenVery SuperKenVery requested a review from a team as a code owner May 11, 2023 10:44
@github-actions
Copy link

Thanks for opening this pull request, unfortunately we do not accept contributions from the main branch of your fork, please re-open once you switch to an alternative branch for everyone's sanity. See https://github.com/matrix-org/matrix-js-sdk/blob/develop/CONTRIBUTING.md

@github-actions github-actions bot closed this May 11, 2023
@github-actions github-actions bot added the Z-Community-PR Issue is solved by a community member's PR label May 11, 2023
@@ -28,7 +28,7 @@
style-src 'self' 'unsafe-inline' <%= csp_extra_source %>;
script-src 'self' 'wasm-unsafe-eval' https://www.recaptcha.net/recaptcha/ https://www.gstatic.com/recaptcha/ <%= csp_extra_source %>;
img-src * blob: data:;
connect-src *;
connect-src * blob: data:;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This likely has security implications - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src - it might create an XSS vulnerability around anchors pointing at executable blobs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But this is required to retrieve the data from script... No chance to do this?

And, I can't understand your XSS vulnerability and I can't find anything about this in the link provided :( My poor knowledge about web 🤣

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Z-Community-PR Issue is solved by a community member's PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants