Falling back to previewUrl image src `about:blank` causing CSP violations
The AttachmentContainer is falling back to using an image source of about:blank for previewUrl.
https://github.com/GetStream/stream-chat-react/blob/24d2a4d6cc89207ba605eb228cf362c03e2ccb66/src/components/Attachment/AttachmentContainer.tsx#L130
https://github.com/GetStream/stream-chat-react/blob/24d2a4d6cc89207ba605eb228cf362c03e2ccb66/src/components/Attachment/AttachmentContainer.tsx#L165
This can cause the following CSP violation.
img-src: csp_violation: 'about' blocked by 'img-src' directive
Can we drop this fallback and not render the image if none is provided in the default ImageComponent? https://github.com/GetStream/stream-chat-react/blob/24d2a4d6cc89207ba605eb228cf362c03e2ccb66/src/components/Gallery/Image.tsx#L43
@dillonstreator thank you for reporting the issue. Could you please clarify, where those errors are logged, please?
Hi there, not sure if exactly the same issue but we are having troubles with the images loading from rich preview links violating our CSP. We have no way of knowing which domains users share in the chat, let along the image preview locations. The only fix I can think of right now is to disable the img-src directive but that poses a security risk....
What is the recommended way to get around this? I can't see anything on the topic in the Stream docs
Thank you in advance