Harden Content-Security-Policy - bring all ressources to local OMBI, no Gitlab, no Google should be triggered

[GAS85]

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Set Content-Security-Policy header e.g.:

Header always set Content-Security-Policy "default-src https:; \
    script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
    connect-src 'self'; \
    img-src 'self' data: https://image.tmdb.org https://assets.fanart.tv http://www.gravatar.com; \
    style-src 'self' 'unsafe-inline'; \
    base-uri 'self'; \
    form-action 'self'; \
    font-src 'self' data:"

2. Open OMBI see no Menu picture - wondering why it is saved in github???
   
3. Open Console and see a lot of errors, because all fonts are saved in google:
   

Expected behavior
All Fonts and Pictures must be part of the local OMBI resources.

Desktop (please complete the following information):

• OS: Ubuntu, Windows

Ombi Version (please complete the following information):

• Version 4.10.2
• Media Server Plex
• Database Type: SQLite

[github-actions]

Hi!

Thanks for the issue report. Before a real human comes by, please make sure you used our bug report format.

Have you looked at the wiki yet? https://docs.ombi.app/

Before posting make sure you also read our FAQ.

Make the title describe your issue. Having 'not working' or 'I get this bug' for 100 issues, isn't really helpful.

If we need more information or there is some progress we tag the issue or update the tag and keep you updated.

Thanks!

Ombi Bot.

[jamesmacwhite]

Another image path is the Google Play app store image that is coming from: https://play.google.com/intl/en/badges/static/images/badges/en_badge_web_generic.png and could be hosted within the app.

The issue with the avatar is Gravatar is also possible. Your example shows GitHub because it's the default icon being pulled from the Ombi docs repo.

https://github.com/Ombi-app/Ombi/search?q=raw.githubusercontent.com

There are however two async calls to raw.githubusercontent.com which might also be problematic currently from a non image scenario.

[GAS85]

So, admin have to include information that tmdb.org fanart.tv and gravatar.com been used in this service. For the rest - must be moved inside of the app. E.g. Icon for Appstore is in the package, but as mentioned above - google play not.

[tidusjar]

Thanks for the investigations, i'm open for any PR's regarding this

[jamesmacwhite]

Hosting the Google Play image is simply enough, however there does seem to be logic currently that's dynamically generating the Google Play store image relative to the locale set on preferences which Google provides. However it appears that another screen just has the EN Google Play image static. Possibly some code duplication that can be resolved at the same time.

The fallback Ombi logo can be moved into the app rather than calling GitHub paths, but external images for Gravatar may still need adding to img-src because there's not really a way around that.

[GAS85]

Are they coming from https://*.gravatar.com or https://gravatar.com?

[jamesmacwhite]

Gravatar avatars are being served from the main domain www.gravatar.com so this should be acceptable to add as https://www.gravatar.com on img-src without being too wide in the same way as the image.tmdb.org domain.

The raw.githubusercontent.com domain is serving: https://raw.githubusercontent.com/Ombi-app/Ombi/gh-pages/img/android-chrome-512x512.png which can be moved into the app.

The fonts are currently being served by Google Fonts, the WOFF font files would need to be moved into the app assets and referenced as font-face rules instead.

The Google Play image badge can be self hosted, but it looks like someone made the Google Play badge language aware and dynamically configures the path with the language set to serve a translated badge (Google hosts many language specific versions). You can see this on the user preferences page. Replicating this would mean self hosting a lot of versions of the Google Play badge to keep this. behaviour.

Ombi/src/Ombi/ClientApp/src/app/user-preferences/components/user-preference/user-preference.component.html

Lines 59 to 61 in 9d54543

	<a href="https://play.google.com/store/apps/details?id=com.tidusjar.Ombi&pcampaignid=pcampaignidMKT-Other-global-all-co-prtnr-py-PartBadge-Mar2515-1"
	target="_blank"><img width="200" alt="Get it on Google Play"
	src="https://play.google.com/intl/{{ selectedLang }}/badges/static/images/badges/{{ selectedLang }}_badge_web_generic.png" /></a>

There is also duplication of the app store badges on two different screens which could possibly do with being referenced as it's own template file to be included in both, without duplicating.

[GAS85]

This is German Article about bad experience of using even Google fonts: https://www.golem.de/news/google-fonts-abmahnungen-an-webseitenbetreiber-mit-google-schriftarten-2208-167472.html
Everything must be approved by user, so if I add tmdb.org fanart.tv and gravatar.com to my Legal note, the rest should be moved out, especially google 😆 .

[tidusjar]

This is not something that's top of the priority list for me, but I'd be happy for any pull requests