-
Notifications
You must be signed in to change notification settings - Fork 766
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image doesn't display when linked with the Markdown format #275
Comments
I RTFM and found that I can already configure the content policy in the configuration file. I whitelisted my root domain name for the img-src. I wonder if this would be an issue to whitelist any source for image, but I don't need it for now. Sorry for the noise! |
Yes, you did identify the issue correctly. So you don't have to apologize for the noise, it is indeed a valid issue, considering that it is a feature of markdown we break here.🙃 |
I think this does pose a certain risk to allow injection of remote code (for example by using exploits in the image processing libraries in the browser), it does also allow tracking of server access by third parties. I do see the use case for this with mark-down. I would suggest to leave it off by default, but to add a FAQ entry (and/or comment in the config file in the |
Well… very far fetched, but…
That's a point! So do we have that FAQ/comment already you mentioned earlier? |
Feel free to add one, THX. |
+1 for CSP : Then, modifiy the CSP, and / or, use only image from your server. |
@ZerooCool Yes this is already stated in our FAQ entry linked directly before your comment: https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images There is no need to comment here and revive such old issues that are documented and "solved". |
It works if the link is from the same domain as the privatebin host, but doesn't work if the link is from an external domain,
Additional information
The second logo display fine (same domain), but the first show a "broken image" on the browser (external domain).
Dev tools logs that:
Refused to load the image 'https://assets-cdn.github.com/images/modules/open_graph/github-mark.png' because it violates the following Content Security Policy directive: "img-src 'self'
Basic information
Server address: https://privatebin.net (but I also have the same problem on my own instance)
I can reproduce this issue on https://privatebin.net: Yes
The text was updated successfully, but these errors were encountered: