Data protocol not being added to content-security-policy header

Question

Data protocol not being added to content-security-policy header

johnboc opened this issue 6 years ago · comments

My secure-headers.php has the following rules for img-src:

'img-src' => [
            'allow' => [
                env('APP_URL') . '/',
            ],
            'types' => [
                //
            ],
            'self' => true,
            'data' => true,
        ],

However when I try to upload an image via a form as soon as the image is dropped on to the input I get the following error:

Refused to load the image 'data:image/jpeg;base64,/9j/4aI5RXhpZgAASUkqAA....//Z' because it violates the following Content Security Policy directive: "img-src 'self' http://localhost:3000/".

It appears that 'data' => true is being ignored.

bepsvpt · Answer 1 · Wed Jun 20 2018 11:18:23 GMT+0800 (China Standard Time)

Hi @johnboc,

After 5.0, you should add data: in schemes. Sorry for not explaining it in document.

'img-src' => [
  'schemes' => [
    'data:',
  ],
],

johnboc · Answer 2 · Wed Jun 20 2018 14:21:42 GMT+0800 (China Standard Time)

Thanks that works.

bepsvpt · Answer 3 · Wed Jun 20 2018 14:31:35 GMT+0800 (China Standard Time)

If you have any other question, feel free to open a new issue.