This repository has been archived by the owner on Jan 17, 2023. It is now read-only.
Host images on an isolated domain #2300
Assignees
Labels
security
Security issue: can be an active issue, or related to security hygene
Milestone
Comments
jvehent
added
beta blocker
security
|
Is there any dev work remaining for this? |
|
@ianb bumping this issue. can we close? |
|
Right now this is working because @relud setup an nginx response filter that rewrites image links to the new host. That's a pretty fragile solution, so we still need to do this properly. Probably all that means is using |
|
@ianb should be add another row in the x-functional doc for this? |
|
It's just normal server engineering, there's nothing exceptional about this. We've mitigated the security concern, but need to do some followup work. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Images must not be served via the main pageshot domain to reduce the risk of an image-based XSS stealing the user's cookies.
The text was updated successfully, but these errors were encountered: