Add blob: to connect-src CSP, fixes #1827
I discovered that Soapbox FE actually resizes images in the browser before uploading. It seems the error in #1827 (closed) occurs when the image is large enough that it triggers this resizing.
The resizing code relies on a third-party library, exif-js, which makes an XHR request on the uploaded image while trying to determine its orientation. This code is what triggers the CSP:
function objectURLToBlob(url, callback) {
var http = new XMLHttpRequest();
http.open("GET", url, true);
http.responseType = "blob";
http.onload = function (e) {
if (this.status == 200 || this.status === 0) {
callback(this.response);
}
};
http.send();
}
Maybe there's a better way to get the image's orientation, but I see no reason not to let blob:
through CSP. This MR relaxes the CSP and makes uploads through Soapbox FE work smoothly again.