BookStack icon indicating copy to clipboard operation
BookStack copied to clipboard
verified publisher icon BookStackApp

Fix draw.io/diagrams.net "export" function

Open vincentbernat opened this issue 1 year ago • 1 comments

Exporting a diagram is done using the "blob:" scheme. This is not allowed by the current CSP. Add it automatically when we have draw.io/diagrams.net integration enabled.

Fix #4710

vincentbernat avatar Jun 30 '24 05:06 vincentbernat

Thanks for offering this @vincentbernat, but when looking before I found it hard to understand the full potential security impact of adding the blob scheme to CSP (which is why I haven't added it so far). Where there's a non-understood risk, I'd rather that this be opt in (via adding to ALLOWED_IFRAME_SOURCES) rather than enabled by default.

ssddanbrown avatar Jun 30 '24 09:06 ssddanbrown

I'll go ahead and close this off under the reasoning provided above.

ssddanbrown avatar Jul 14 '24 15:07 ssddanbrown