Add blob: to connect-src CSP, fixes #1827 (!2608) · Merge requests · Pleroma / pleroma

Alex Gleason requested to merge alexgleason/pleroma:connect-src into develop May 29, 2020

I discovered that Soapbox FE actually resizes images in the browser before uploading. It seems the error in #1827 (closed) occurs when the image is large enough that it triggers this resizing.

The resizing code relies on a third-party library, exif-js, which makes an XHR request on the uploaded image while trying to determine its orientation. This code is what triggers the CSP:

  function objectURLToBlob(url, callback) {
    var http = new XMLHttpRequest();
    http.open("GET", url, true);
    http.responseType = "blob";

    http.onload = function (e) {
      if (this.status == 200 || this.status === 0) {
        callback(this.response);
      }
    };

    http.send();
  }

Maybe there's a better way to get the image's orientation, but I see no reason not to let blob: through CSP. This MR relaxes the CSP and makes uploads through Soapbox FE work smoothly again.

Add blob: to connect-src CSP, fixes #1827

Merge request reports