Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: use https when fetching/referencing external resources #927

Merged
merged 1 commit into from
Apr 13, 2023
Merged

chore: use https when fetching/referencing external resources #927

merged 1 commit into from
Apr 13, 2023

Conversation

Rubonnek
Copy link
Contributor

I'm currently implementing a content security policy header for my site and stumbled upon some violations related to certain resources being fetched through http instead of https.

This PR attempts to mitigate that issue -- I'm not sure if all of the changes I've made are required.

As an additional note, I started working on this after scanning my site through the Mozilla Observatory.

@netlify
Copy link

netlify bot commented Apr 12, 2023
edited
Loading

Deploy Preview for hbs-docs ready!

Name Link
🔨 Latest commit a021385
🔍 Latest deploy log https://app.netlify.com/sites/hbs-docs/deploys/64375c3554abb5000884cf3f
😎 Deploy Preview https://deploy-preview-927--hbs-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@Rubonnek
Copy link
Contributor Author

Welp, now I don't think this patch is actually needed. I guess it doesn't hurt to switch to https where possible, but feel free to close this issue.

I just figured my issue was that I was trying to filter the data URIs using the wrong filter.

When implementing the CSP I stumbled upon this message where I saw the data:image/svg+xml,%3csvg URI:

rubonnek.com/:34 Refused to load the image 'data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 16 16' fill='%23000'%3e%3cpath d='M.293.293a1 1 0 0 1 1.414 0L8 6.586 14.293.293a1 1 0 1 1 1.414 1.414L9.414 8l6.293 6.293a1 1 0 0 1-1.414 1.414L8 9.414l-6.293 6.293a1 1 0 0 1-1.414-1.414L6.586 8 .293 1.707a1 1 0 0 1 0-1.414z'/%3e%3c/svg%3e' because it violates the following Content Security Policy directive: "img-src 'self' https://*.itch.io https://itch.io".

So I figured I should add either data:image/svg or data:image/svg+xml to img-src but none worked and according to Stack Overflow only data: is needed. The browser doesn't care if the images come from http or https.

@razonyang
Copy link
Owner

The rest of PR is OK, you can revert RSS changes, I'll merge it later.
Thanks for your contributions.

@Rubonnek
Copy link
Contributor Author

RSS changes reverted.

razonyang
razonyang approved these changes Apr 13, 2023
View reviewed changes
layouts/partials/rss.html Outdated Show resolved Hide resolved
@razonyang razonyang merged commit 151bf5a into razonyang:master Apr 13, 2023
@razonyang
Copy link
Owner

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@razonyang razonyang razonyang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Rubonnek @razonyang