Content Security Policy warnings when pasting images

When I comment out the default CSP (Content Security Policy) in a Rails application,
```ruby
Rails.application.config.content_security_policy do |policy|
   # ...
   policy.img_src :self, :https, :data
   # ...
end
```

Pasting an image in the editor results in the following in the browser
> Refused to load the image 'blob:<URL>' because it violates the following Content Security Policy directive: "img-src 'self' <URL> <URL> data:".
> Refused to load the image 'blob:http://example.com/426e8cf7-faab-4141-87ad-8e30eb54ad6d' because it violates the following Content Security Policy directive: "img-src 'self', 'https', data:".

The warning can be fixed by adding `:blob` to the policy,
```ruby
   policy.img_src :self, :https, :data, :blob
```
but that makes things less secure.

It would be nice, if we could tie `blob` to a URI, for example "blob:http://example.com" but that is not (yet) supported by the CSP standard.

Things still seem to work as expected even when warnings are show, and the images get uploaded.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Content Security Policy warnings when pasting images #1224

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Content Security Policy warnings when pasting images #1224

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions