ord icon indicating copy to clipboard operation
ord copied to clipboard

Published 20 hours ago verified publisher icon ordinals

Allow dataurl in CSP-Origin for generated dom elements on /preview endpoint

Open thinginab opened this issue 11 months ago • 1 comments

Summary:

It appears that the CSP policy here allows for 'data:' urls. https://github.com/ordinals/ord/blob/4990542ad063346f68312dab71ba88d3a2bb8ec5/src/subcommand/server.rs#L1369

But in practice it appears to fail if the data: url in question came from a DOM element created from a document/inscription served from /preview/... . The SAME interaction does work if served from /content/......

Example inscription: https://ordinals.com/content/666552489f01b1f478e28d7c34b601e50ac6ed2f9c2e75da1f6702016bf8e666i0 download interaction works https://ordinals.com/inscription/666552489f01b1f478e28d7c34b601e50ac6ed2f9c2e75da1f6702016bf8e666i0 download interaction does not work (click canvas/image, then click one of the download buttons)

The goal is for this to allow an easy way for someone to download the current canvas's image content with a code-specified filename.

Browser Error on interaction:

Content-Security-Policy: The page’s settings blocked the loading of a resource at data:image/png;base64,iVBORw0KGgoAAAANSU… (“default-src”).

sample code from this interaction:

                        var image = cselect.toDataURL();
                        var dl = document.createElement('a'); //element sourced from /preview/ will fail, from /content/ will not
                        dl.download = 'Skullx Origins #' + tokenid + '.png'; //sets the download filename
                        dl.href = image;
                        dl.target = '_blank';
                        dl.click();

Possible Solution:

The CSP header returned to the browser is the same in both cases and looks like this: default-src https://ordinals.com/content/ https://ordinals.com/blockheight https://ordinals.com/blockhash https://ordinals.com/blockhash/ https://ordinals.com/blocktime https://ordinals.com/r/ 'unsafe-eval' 'unsafe-inline' data: blob:

I believe the problem is that this does not include the preview url, and so dataurl content delivered in this manner may work if it were instead like this: default-src https://ordinals.com/content/ https://ordinals.com/preview/ https://ordinals.com/blockheight https://ordinals.com/blockhash https://ordinals.com/blockhash/ https://ordinals.com/blocktime https://ordinals.com/r/ 'unsafe-eval' 'unsafe-inline' data: blob:

thinginab avatar Mar 24 '24 15:03 thinginab

Just further context. This simple html also fails in /preview or /inscription but works in /content

<a href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAKBJREFUeNpiYBjpgBFd4P///wJAaj0QO9DEQiAg5ID9tLIcmwMYsDgABhqoaTHMUHRxpsGYBv5TGqTIZsDkYWLo6gc8BEYdMOqAUQeMOoAqDgAWcgZAfB9EU63SIAGALH8PZb+H8v+jVz64KiOK6wIg+ADEArj4hOoCajiAqMpqtDIadcCoA0YdQIoDDtCqQ4KtBY3NAYG0csQowAYAAgwAgSqbls5coPEAAAAASUVORK5CYII=" download="test.png" target="_blank">download</a>

Error: Content-Security-Policy: The page’s settings blocked the loading of a resource at data:image/png;base64,iVBORw0KGgoAAAANSU… (“default-src”).

Easy to test by pasting into this inscription: https://ordinals.com/inscription/4cc26939b8c375b75d283c44c1c1a02f9b28a33417d233a9b8fccbc4482aa102i0

thinginab avatar Mar 26 '24 22:03 thinginab