[bug] img-src CSP does not include media domain if redirected #771

Open
opened 2024-05-05 07:55:32 +00:00 by nopjmp · 0 comments

Your setup

OTP

Extra details

Debian GNU/Linux 12 (bookworm)

Version

3.13.1-0-gc02e343

PostgreSQL version

15.6

What were you trying to do?

Going to https://instance.domain/

What did you expect to happen?

All images load correctly and the timeline feed looks correct.

What actually happened?

No images load other than static images and only the placeholders exist.

Logs

# CSP Headers
# / that redirects to /main/friends
upgrade-insecure-requests;style-src 'self' 'nonce-x5ztBlb01xnDaah';font-src 'self';script-src 'self' 'nonce-x5ztBlb01xnDaah' ;connect-src 'self' https://thewired.wtf wss://thewired.wtf ;media-src 'self';img-src 'self' data: blob:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';

# /main/friends directly
upgrade-insecure-requests;style-src 'self' 'nonce-EA6LDuPRe9USdD1';font-src 'self';script-src 'self' 'nonce-EA6LDuPRe9USdD1' ;connect-src 'self' https://thewired.wtf wss://thewired.wtf https://media.thewired.wtf https://media.thewired.wtf;media-src 'self' https://media.thewired.wtf https://media.thewired.wtf;img-src 'self' data: blob: https://media.thewired.wtf https://media.thewired.wtf;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';

Severity

I can manage

Have you searched for this issue?

  • I have double-checked and have not found this issue mentioned anywhere.
### Your setup OTP ### Extra details Debian GNU/Linux 12 (bookworm) ### Version 3.13.1-0-gc02e343 ### PostgreSQL version 15.6 ### What were you trying to do? Going to https://instance.domain/ ### What did you expect to happen? All images load correctly and the timeline feed looks correct. ### What actually happened? No images load other than static images and only the placeholders exist. ### Logs ```shell # CSP Headers # / that redirects to /main/friends upgrade-insecure-requests;style-src 'self' 'nonce-x5ztBlb01xnDaah';font-src 'self';script-src 'self' 'nonce-x5ztBlb01xnDaah' ;connect-src 'self' https://thewired.wtf wss://thewired.wtf ;media-src 'self';img-src 'self' data: blob:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self'; # /main/friends directly upgrade-insecure-requests;style-src 'self' 'nonce-EA6LDuPRe9USdD1';font-src 'self';script-src 'self' 'nonce-EA6LDuPRe9USdD1' ;connect-src 'self' https://thewired.wtf wss://thewired.wtf https://media.thewired.wtf https://media.thewired.wtf;media-src 'self' https://media.thewired.wtf https://media.thewired.wtf;img-src 'self' data: blob: https://media.thewired.wtf https://media.thewired.wtf;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self'; ``` ### Severity I can manage ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.
nopjmp added the
bug
label 2024-05-05 07:55:32 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#771
No description provided.