Menu
My webapp has a Content Security Policy that sets img-src to * (load images from anywhere), yet Chrome still blocks some images from loading...
Refused to load the image 'data:image/webp;base64,UklGRhoAAABXRUJQVlA4TA0AAAAvAAAAEAcQERGIiP4HAA==' because it violates the following Content Security Policy directive: "img-src *". lg @ js?libraries=places,geometry&v=3&callback=async_req_1:84(anonymous function) @ js?libraries=places,geometry&v=3&callback=async_req_1:119google.maps.Load @ js?libraries=places,geometry&v=3&callback=async_req_1:21(anonymous function) @ js?libraries=places,geometry&v=3&callback=async_req_1:118(anonymous function) @ js?libraries=places,geometry&v=3&callback=async_req_1:119
If I include 'data:' in the directive, the error is not shown in the console.
img-src * data:;
However, that is not a valid directive. Is there an img-src valid CSP value that would satisfy Chrome or is this a Chrome bug perhaps? I was not able to find any direct matches in the accessible bug list. I'm speculating this might be related to images embedded in SVG files. Firefox and Safari do not exhibit this behavior.
555
content-security-policy.com is wrong. See w3.org/TR/CSP2/#source-list-guid-matching.
As defined above, special URL schemes that refer to specific pieces of unique content, such as "data:", "blob:" and "filesystem:" are excluded from matching a policy of * and must be explicitly listed.
* also does not include 'unsafe-inline' or 'unsafe-eval' either.
122
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
