Data protocol not being added to content-security-policy header
johnboc opened this issue · comments
johnboc commented
My secure-headers.php has the following rules for img-src:
'img-src' => [
'allow' => [
env('APP_URL') . '/',
],
'types' => [
//
],
'self' => true,
'data' => true,
],
However when I try to upload an image via a form as soon as the image is dropped on to the input I get the following error:
Refused to load the image 'data:image/jpeg;base64,/9j/4aI5RXhpZgAASUkqAA....//Z' because it violates the following Content Security Policy directive: "img-src 'self' http://localhost:3000/".
It appears that 'data' => true is being ignored.
bepsvpt commented
Hi @johnboc,
After 5.0, you should add data:
in schemes
. Sorry for not explaining it in document.
'img-src' => [
'schemes' => [
'data:',
],
],
johnboc commented
Thanks that works.
bepsvpt commented
If you have any other question, feel free to open a new issue.