stream-chat-react icon indicating copy to clipboard operation
stream-chat-react copied to clipboard
verified publisher icon GetStream

Falling back to previewUrl image src `about:blank` causing CSP violations

Open dillonstreator opened this issue 2 years ago • 2 comments

The AttachmentContainer is falling back to using an image source of about:blank for previewUrl. https://github.com/GetStream/stream-chat-react/blob/24d2a4d6cc89207ba605eb228cf362c03e2ccb66/src/components/Attachment/AttachmentContainer.tsx#L130 https://github.com/GetStream/stream-chat-react/blob/24d2a4d6cc89207ba605eb228cf362c03e2ccb66/src/components/Attachment/AttachmentContainer.tsx#L165

This can cause the following CSP violation.

img-src: csp_violation: 'about' blocked by 'img-src' directive

Can we drop this fallback and not render the image if none is provided in the default ImageComponent? https://github.com/GetStream/stream-chat-react/blob/24d2a4d6cc89207ba605eb228cf362c03e2ccb66/src/components/Gallery/Image.tsx#L43

dillonstreator avatar May 18 '23 20:05 dillonstreator

@dillonstreator thank you for reporting the issue. Could you please clarify, where those errors are logged, please?

MartinCupela avatar May 19 '23 10:05 MartinCupela

Hi there, not sure if exactly the same issue but we are having troubles with the images loading from rich preview links violating our CSP. We have no way of knowing which domains users share in the chat, let along the image preview locations. The only fix I can think of right now is to disable the img-src directive but that poses a security risk....

What is the recommended way to get around this? I can't see anything on the topic in the Stream docs

Thank you in advance

kiily avatar Jun 08 '25 16:06 kiily