snipe
CSP causes images not to load from AWS S3 and Google Avatar
Debug mode
- [X] I have enabled debug mode
- [X] I have read checked the Common Issues page
Describe the bug
We are using S3 Buckets for storing uploaded images but they are not loaded in the browser because the URL violates the CSP
https://our-snipeit-public.s3.eu-west-1.amazonaws.com/assets/asset-image-asdafsdf.jpeg
Also Google User Avatars are not loaded because the violate the CSP
https://lh3.googleusercontent.com/a/ACg8ocJ6zs9J_VbdONsjPJHQWWsakG-XO1qpl30DAtG5fqR42_-XsaqI=s96-c
The current CSP header is:
default-src 'self';style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';connect-src 'self';object-src 'none';font-src 'self' data:;img-src 'self' data: https://assets.example.com https://secure.gravatar.com http://gravatar.com maps.google.com maps.gstatic.com *.googleapis.com;img-src 'self' data:
Reproduction steps
- Use S3 for storing images
- Use Google for SSO
Expected behavior
images should be loaded from those external services and blocked by CSP
Screenshots
No response
Snipe-IT Version
6.3.4
Operating System
Ubuntu, Docker
Web Server
Traefik
PHP Version
that of docker image snipe/snipe-it:v6.3.4
Operating System
No response
Browser
No response
Version
No response
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages
No response
Additional context
No response
II'm not really sure of the best way to account for that. Maybe add an env var for additional CSP urls.
https://github.com/snipe/snipe-it/blob/0d4f13219b2bd649d3fc45954e3c5331b7badf37/app/Presenters/UserPresenter.php#L429-L438
We can't just accept anything, or it would defeat the purpose of the CSP in the first place.
We do account for the public AWS URL tho.
https://github.com/snipe/snipe-it/blob/0d4f13219b2bd649d3fc45954e3c5331b7badf37/app/Http/Middleware/SecurityHeaders.php#L91
