Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UI: Load img from file instead of from a data tag #914

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

UI: Load img from file instead of from a data tag #914

wants to merge 1 commit into from
+2 −1

Conversation

viktorerlingsson
Copy link
Member

WHAT is this pull request doing?

Load arrow-down.svg from file instead of from data-tag to abide by Content Security Policy.

Fixes console error:

Refused to load the image 'data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 20 20'%3e%3cpath stroke='%23f7f5f2' stroke-linecap='round' stroke-linejoin='round' stroke-width='1.5' d='M6 8l4 4 4-4'/%3e%3c/svg%3e' because it violates the following Content Security Policy directive: "img-src 'self'".

HOW can this pull request be tested?

Start LavinMQ, make sure the arrow in the vhost dropdown is shown.

image

@viktorerlingsson viktorerlingsson requested a review from a team as a code owner January 17, 2025 14:32
@ThomasSarlin
Copy link

Shouldn't the same error appear due to this line? :)

lavinmq/static/main.css

Line 1919 in fb03806

content: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none'%3E%3Cpath d='M20 21V19C20 17.9391 19.5786 16.9217 18.8284 16.1716C18.0783 15.4214 17.0609 15 16 15H8C6.93913 15 5.92172 15.4214 5.17157 16.1716C4.42143 16.9217 4 17.9391 4 19V21' stroke='%23F7F5F2' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3Cpath d='M12 11C14.2091 11 16 9.20914 16 7C16 4.79086 14.2091 3 12 3C9.79086 3 8 4.79086 8 7C8 9.20914 9.79086 11 12 11Z' stroke='%23F7F5F2' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E");

@viktorerlingsson
Copy link
Member Author

Shouldn't the same error appear due to this line? :)

lavinmq/static/main.css

Line 1919 in fb03806

content: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none'%3E%3Cpath d='M20 21V19C20 17.9391 19.5786 16.9217 18.8284 16.1716C18.0783 15.4214 17.0609 15 16 15H8C6.93913 15 5.92172 15.4214 5.17157 16.1716C4.42143 16.9217 4 17.9391 4 19V21' stroke='%23F7F5F2' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3Cpath d='M12 11C14.2091 11 16 9.20914 16 7C16 4.79086 14.2091 3 12 3C9.79086 3 8 4.79086 8 7C8 9.20914 9.79086 11 12 11Z' stroke='%23F7F5F2' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E");

Hmm, yes, sort of. But that is never loaded because #usermenu-button is display:none, so there's no error. Maybe that can just be removed then @bengtmagnus ?

@carlhoerberg
Copy link
Member

carlhoerberg commented Jan 17, 2025
edited
Loading

An alternative could be to modify the CSP: Content-Security-Policy: img-src data: avoids a http request for a tiny svg, but might have other downsides..

@viktorerlingsson
Copy link
Member Author

An alternative could be to modify the CSP: Content-Security-Policy: img-src data: avoids a http request for a tiny svg, but might have other downsides..

Yeah, I think allowing data: might increase the risks for some XSS, so this felt like the safest option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@viktorerlingsson @ThomasSarlin @carlhoerberg