Skip to content

Commit

Permalink
Allow stylesheets (Bootstrap) to embed images as data URIs (#2015)
Browse files Browse the repository at this point in the history
  • Loading branch information
YoshiRulz authored Oct 20, 2024
1 parent 55f7277 commit 00406df
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion TASVideos/Extensions/ApplicationBuilderExtensions.cs
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ public static IApplicationBuilder UseMvcWithOptions(this IApplicationBuilder app
"font-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/", // CSS `font: url();` and `@font-face { src: url(); }` will be blocked unless they're from one of these domains (this also blocks nonstandard fonts installed on the system maybe)
"form-action 'self'", // domains allowed for `<form action/>` (POST target page)
"frame-src 'self' https://www.youtube.com/embed/", // allow these domains in <iframe/>
"img-src *", // allow hotlinking images from any domain in UGC (not great)
"img-src * data:", // allow hotlinking images from any domain in UGC (not great)
"require-trusted-types-for 'script'", // experimental, but Google seems to be pushing it: should block `HTMLScriptElement.innerHTML = "user.pwn();";`, and similarly block adding in-line scripts as attrs
$"script-src 'self' {string.Join(' ', trustedJsHosts)}", // `<script/>`s will be blocked unless they're from one of these domains
"style-src 'unsafe-inline' 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/", // allow `<style/>`, and `<link rel="stylesheet"/>` if it's from our domain or trusted CDN
Expand Down

0 comments on commit 00406df

Please sign in to comment.