You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using Lightbox2 v2.9.0 and have identified a Content Security Policy (CSP) error when loading my site on Firefox and Chrome. Lightbox2 uses a data embedded image for the .lb-nav anchor (line 94 in lightbox.css for current version 2.11.4). Without adding the data: directive to img-src in the CSP, the page blocks this image with the following error:
Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at data:image/svg+xml;base64,PHN2ZyB4bWxucz… because it violates the following directive: “img-src...
Using the data: directive leaves sites open to XSS attacks and is recommended not to use by several sites, including W3C's CSP Level 3 Working Draft. See section 6:
In either case, developers SHOULD NOT include either unsafe-inline, or data: as valid sources in their policies. Both enable XSS attacks by allowing code to be included directly in the document itself; they are best avoided completely.
Can Lightbox2's data embedded image be replaced with a local image to avoid using the risky data: directive?
The text was updated successfully, but these errors were encountered:
Hello,
I'm using Lightbox2 v2.9.0 and have identified a Content Security Policy (CSP) error when loading my site on Firefox and Chrome. Lightbox2 uses a data embedded image for the .lb-nav anchor (line 94 in lightbox.css for current version 2.11.4). Without adding the
data:directive toimg-srcin the CSP, the page blocks this image with the following error:Using the
data:directive leaves sites open to XSS attacks and is recommended not to use by several sites, including W3C's CSP Level 3 Working Draft. See section 6:Can Lightbox2's data embedded image be replaced with a local image to avoid using the risky
data:directive?The text was updated successfully, but these errors were encountered: