Data protocol not being added to content-security-policy header #23

johnboc · 2018-06-18T13:37:27Z

My secure-headers.php has the following rules for img-src:

'img-src' => [
            'allow' => [
                env('APP_URL') . '/',
            ],
            'types' => [
                //
            ],
            'self' => true,
            'data' => true,
        ],

However when I try to upload an image via a form as soon as the image is dropped on to the input I get the following error:

Refused to load the image 'data:image/jpeg;base64,/9j/4aI5RXhpZgAASUkqAA....//Z' because it violates the following Content Security Policy directive: "img-src 'self' http://localhost:3000/".

It appears that 'data' => true is being ignored.

The text was updated successfully, but these errors were encountered:

bepsvpt · 2018-06-20T03:18:23Z

Hi @johnboc,

After 5.0, you should add data: in schemes. Sorry for not explaining it in document.

'img-src' => [
  'schemes' => [
    'data:',
  ],
],

johnboc · 2018-06-20T06:21:42Z

Thanks that works.

bepsvpt · 2018-06-20T06:31:35Z

If you have any other question, feel free to open a new issue.

bepsvpt closed this as completed Jun 20, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Data protocol not being added to content-security-policy header #23

Data protocol not being added to content-security-policy header #23

johnboc commented Jun 18, 2018

bepsvpt commented Jun 20, 2018

johnboc commented Jun 20, 2018

bepsvpt commented Jun 20, 2018

Data protocol not being added to content-security-policy header #23

Data protocol not being added to content-security-policy header #23

Comments

johnboc commented Jun 18, 2018

bepsvpt commented Jun 20, 2018

johnboc commented Jun 20, 2018

bepsvpt commented Jun 20, 2018