rust-lang
Images don't load at <https://rustup.rs> due to content security policy
Verification
- [x] I searched for recent similar issues at https://github.com/rust-lang/rustup/issues?q=is%3Aissue and found no duplicates.
- [x] I am on the latest version of Rustup according to https://github.com/rust-lang/rustup/tags and am still able to reproduce my issue.
Problem
The Rust logo in front of "rustup is an official Rust project" doesn't load shows up as a blank square:
In the browser console:
Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://rust-lang.org/logos/rust-logo-blk.svg because it violates the following directive: “img-src 'self' https://www.rust-lang.org/” [rustup.rs](https://rustup.rs/)
A resource is blocked by OpaqueResponseBlocking, please check browser console for details. [rust-logo-blk.svg](https://www.rust-lang.org/logos/rust-logo-blk.svg)
Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://rust-lang.org/static/images/favicon.svg because it violates the following directive: “img-src 'self' https://www.rust-lang.org/”
Steps
Visit https://rustup.rs
Possible Solution(s)
No response
Notes
No response
Rustup version
N/A
Installed toolchains
N/A
OS version
N/A
I thought we fixed this in #4533. Maybe that didn't deploy correctly or there's more we need to do for deployment?
Or maybe this is a related but slightly different issue?
I guess it didn't deploy properly. #4533 should remove "www." from the CSP header but:
$ curl -sI https://rustup.rs | rg content-security
content-security-policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' https://www.rust-lang.org; font-src 'self'
I believe the website is part of the rustup release process. That is, I think you need to publish a new release.
Hmm, maybe we should decouple that to get more continuous deployment of the website...