[openstreetmap/openstreetmap-website] Include data: when using allow_thirdparty_images CSP (PR #5378)

Anton Khorev notifications at github.com
Wed Dec 4 16:33:15 UTC 2024 

We have `allow_thirdparty_images` policy on some pages that sets `img-src` policy to `*`. But `*` does not include data uris. That causes some of the ui elements to disappear.

For example, on `/account/edit` there's no dropdown icon:
![image](https://github.com/user-attachments/assets/faa20e87-2740-46bb-a1c3-c66ca075fc6b)

After this fix:
![image](https://github.com/user-attachments/assets/8a6cb78b-a10e-4847-a329-b473a297fbea)

You can view, comment on, or merge this pull request online at:

  https://github.com/openstreetmap/openstreetmap-website/pull/5378

-- Commit Summary --

  * Include data: when using allow_thirdparty_images CSP

-- File Changes --

    M app/controllers/application_controller.rb (2)

-- Patch Links --

https://github.com/openstreetmap/openstreetmap-website/pull/5378.patch
https://github.com/openstreetmap/openstreetmap-website/pull/5378.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/5378
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/5378 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20241204/db2f79f5/attachment.htm>

More information about the rails-dev mailing list