Image doesn't display when linked with the Markdown format

[ohmer1]

It works if the link is from the same domain as the privatebin host, but doesn't work if the link is from an external domain,

Additional information

![Logo](https://assets-cdn.github.com/images/modules/open_graph/github-mark.png)

![Logo2](https://privatebin.net/img/icon.svg)

The second logo display fine (same domain), but the first show a "broken image" on the browser (external domain).

Dev tools logs that:
Refused to load the image 'https://assets-cdn.github.com/images/modules/open_graph/github-mark.png' because it violates the following Content Security Policy directive: "img-src 'self'

Basic information

Server address: https://privatebin.net (but I also have the same problem on my own instance)

I can reproduce this issue on https://privatebin.net: Yes

[ohmer1]

I RTFM and found that I can already configure the content policy in the configuration file. I whitelisted my root domain name for the img-src. I wonder if this would be an issue to whitelist any source for image, but I don't need it for now. Sorry for the noise!

[rugk]

Yes, you did identify the issue correctly. So you don't have to apologize for the noise, it is indeed a valid issue, considering that it is a feature of markdown we break here.🙃
So I open this issue, I think it is a valid idea to just allow images from anywhere, they do not pose any risk here. And, of course, admins can adjust it.

[elrido]

I think this does pose a certain risk to allow injection of remote code (for example by using exploits in the image processing libraries in the browser), it does also allow tracking of server access by third parties. I do see the use case for this with mark-down.

I would suggest to leave it off by default, but to add a FAQ entry (and/or comment in the config file in the cspheader section) explaining how to enable it and for example limit it to images via https (that would probably be img-src 'self' data: https:?) or even to certain domains.

[rugk]

(for example by using exploits in the image processing libraries in the browser)

Well… very far fetched, but…

it does also allow tracking of server access by third parties

That's a point!

So do we have that FAQ/comment already you mentioned earlier?

[elrido]

Feel free to add one, THX.

[rugk]

Done: https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images

[ZerooCool]

+1 for CSP :
Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://privatebin.net/img/icon.svg (« img-src »).

Then, modifiy the CSP, and / or, use only image from your server.

[rugk]

@ZerooCool Yes this is already stated in our FAQ entry linked directly before your comment: https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images

There is no need to comment here and revive such old issues that are documented and "solved".