Skip to content

Let blob: pass CSP

Alex Gleason requested to merge alexgleason/pleroma:img-src-blob into develop

In order to allow showing a preview of an uploaded image, blob: URI protocol needs to be allowed by CSP. An example:

Screenshot_from_2020-04-26_00-36-58

Without this MR:

Screenshot_from_2020-04-26_00-37-33 Screenshot_from_2020-04-26_00-42-16

The blob URLs look like blob:https://example.tld/e1e9d0fe-f12a-4d58-889b-0d0828594e40 and are created using URL.createObjectURL(file)

Example JS:

const [file] = e.target.files;
const url = file ? URL.createObjectURL(file);

console.log(url); // blob:https://example.tld/e1e9d0fe-f12a-4d58-889b-0d0828594e40

This MR just lets blob: URIs be accepted by CSP.

Merge request reports