Skip to content

Commit

Permalink
Allow blob as a valid origin for img/media (#1131)
Browse files Browse the repository at this point in the history
  • Loading branch information
wwwillchen authored Dec 5, 2024
1 parent 121af06 commit 5212217
Show file tree
Hide file tree
Showing 5 changed files with 10 additions and 10 deletions.
4 changes: 2 additions & 2 deletions mesop/server/static_file_serving.py
Original file line number Diff line number Diff line change
Expand Up @@ -233,8 +233,8 @@ def add_security_headers(response: Response):
# Mesop app developers should be able to iframe other sites.
"frame-src": "*",
# Mesop app developers should be able to load images and media from various origins.
"img-src": "'self' data: https: http:",
"media-src": "'self' data: https:",
"img-src": "'self' data: https: http: blob:",
"media-src": "'self' data: https: blob:",
# Need 'unsafe-inline' because we apply inline styles for our components.
# This is also used by Angular for animations:
# https://github.com/angular/angular/pull/55260
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
default-src 'self'
font-src fonts.gstatic.com data:
frame-src *
img-src 'self' data: https: http:
media-src 'self' data: https:
img-src 'self' data: https: http: blob:
media-src 'self' data: https: blob:
style-src 'self' 'unsafe-inline' fonts.googleapis.com
script-src 'self' 'nonce-{{NONCE}}'
trusted-types angular angular#unsafe-bypass lit-html highlight.js
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
default-src 'self'
font-src fonts.gstatic.com data:
frame-src *
img-src 'self' data: https: http:
media-src 'self' data: https:
img-src 'self' data: https: http: blob:
media-src 'self' data: https: blob:
style-src 'self' 'unsafe-inline' fonts.googleapis.com http://google.com/stylesheets%2C1%3B2
script-src 'self' 'nonce-{{NONCE}}' http://google.com/allowed_script_srcs/1%2C1%3B2 http://google.com/allowed_script_srcs/2%2C1%3B2
trusted-types angular angular#unsafe-bypass lit-html highlight.js
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
default-src 'self'
font-src fonts.gstatic.com data:
frame-src *
img-src 'self' data: https: http:
media-src 'self' data: https:
img-src 'self' data: https: http: blob:
media-src 'self' data: https: blob:
style-src 'self' 'unsafe-inline' fonts.googleapis.com
script-src 'self' 'nonce-{{NONCE}}'
trusted-types angular angular#unsafe-bypass lit-html highlight.js ttpolicy1 ttpolicy2
Expand Down
4 changes: 2 additions & 2 deletions mesop/tests/e2e/snapshots/web_security_test.ts_csp.txt
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
default-src 'self'
font-src fonts.gstatic.com data:
frame-src *
img-src 'self' data: https: http:
media-src 'self' data: https:
img-src 'self' data: https: http: blob:
media-src 'self' data: https: blob:
style-src 'self' 'unsafe-inline' fonts.googleapis.com
script-src 'self' 'nonce-{{NONCE}}'
trusted-types angular angular#unsafe-bypass lit-html highlight.js
Expand Down

0 comments on commit 5212217

Please sign in to comment.