Skip to content

Use the downloads API to avoid CSP issues #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
khlr merged 2 commits into from
May 28, 2025
Merged

Use the downloads API to avoid CSP issues #102

khlr merged 2 commits into from
May 28, 2025

Conversation

@khlr
Copy link
Contributor

@khlr khlr commented May 27, 2025

I'm wondering if I'm the only one who (by surprise) noticed that the export fails in Firefox (and only in FF) with the following message:

Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-src) at data:application/json;charset=utf-8,... because it violates the following directive: “default-src 'none'”

Chromium based browsers seem to be fine with this. The exports succeed.

First I thought this issue would be related to our latest release (v1.9.0), but nothing was changed in regard to the export function in the first place and even v1.8.0 wouldn't export anything anymore in FF. Hence I think that FF must have tightened something in one of the last browser versions regarding CSP handling...

We could probably fix this with a more specialized CSP than default-src 'none' but I think using the downloads API instead frees us from all those CSP hassles...

@khlr khlr requested review from thijskh and tvdijen May 27, 2025 19:53
tvdijen
tvdijen reviewed May 27, 2025
View reviewed changes
tvdijen
tvdijen approved these changes May 27, 2025
View reviewed changes
Copy link
Member

@tvdijen tvdijen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oi, I think I may have caused this by introducing the CSP-headers in the latest version.. Let's do both, so also add frame-src data:; to the CSP-headers

@khlr
Copy link
Contributor Author

khlr commented May 28, 2025

Wow... How on earth did I not see those lines...?! I had been wondering for a quite long time where the CSP "suddenly" came from... 🙈😄

Let's do both

Why that? I think we should either use a permissive CSP (which we should not) or use the alternative proposed in this PR. But I wouldn't mix both?!

@tvdijen
Copy link
Member

tvdijen commented May 28, 2025
edited
Loading

You're right, I dunno what I was thinking. This change should take away the need for the permissive CSP, because it's no longer triggering the issue.

I'd say, go ahead and merge & release!

@khlr khlr merged commit f4a89c6 into main May 28, 2025
@khlr khlr deleted the bugfix/use-downloads-api-to-avoid-csp-issues branch May 28, 2025 18:13
@khlr khlr mentioned this pull request Jun 2, 2025
Closed
khlr added a commit that referenced this pull request Jun 5, 2025
@khlr
Revert "Use the downloads API to avoid CSP issues (#102)"
e2eae09 
This reverts commit f4a89c6.
khlr added a commit that referenced this pull request Jun 5, 2025
@khlr
Feature/exports without downloads api (#104)
6bda0c9 
* Revert "Use the downloads API to avoid CSP issues (#102)"

This reverts commit f4a89c6.

* Adjust CSP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvdijen tvdijen tvdijen approved these changes

@thijskh thijskh Awaiting requested review from thijskh

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@khlr @tvdijen