Fripost wiki » tracker » CSP too strict »

On firefox 45, remote images are not shown in the webmail because of the CSP:

Content Security Policy: The page's settings blocked the loading of a resource at ("img-src").

Oh wait, that’s weird: it seems to block data-urls too:

Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ("img-src").

I’m not too excited about allowing browsers to load images from arbitrary sources, but did it anyway with the hope that roundcube’s anti-XSS filter is good enough. I’ve also checked with the Email Privacy Tester that other external resources blocked by the CSP are probably malicious. closed. – ?guilhem

Last modified | History | Source | Preferences


Still a problem with http urls

Now some of the images work but not all. According to Firefox’ console, http URLs are upgraded to https which may not work all the time.

I don’t know if it is possible but a better way to do this may be to use roundcube as a proxy for images and other inline content?

comment 3

I understand your frustration…

I found that someone openned an related issue agains Roundcube about this almost exactly 2 years ago: Image proxy #5099. It doesn’t seem to be considered high prirority and I can understand as it’s probably not an easy thing to get right.

An other interesting way to fix this would be to have at tool that inlines all the images in an email (turn the remote images into data urls) which you would run on all incomming messages (maybe using sieve?). The only problem is that it might considerably blow-up the size of your mailboxes but given the benefits, it might be worth a try.

comment 4
Would be nice to have such proxy, indeed. Beside the mailbox overhead, another downside of the sieve hack is that this would invalidate all integrity checking such as DKIM or OpenPGP.