Skip to content

[OGUI-1861] Allow blob: in img-src CSP #3237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
graduta merged 4 commits into from
Jan 7, 2026
Merged

[OGUI-1861] Allow blob: in img-src CSP #3237

graduta merged 4 commits into from
Jan 7, 2026
+3 −1

Conversation

@hehoon
Copy link
Collaborator

@hehoon hehoon commented Dec 15, 2025
edited by graduta
Loading

I have JIRA issue created

  • branch and/or PR name(s) includes JIRA ID
  • issue has "Fix version" assigned
  • issue "Status" is set to "In review"
  • PR labels are selected
  • FLP integration tests were ran successful

Changes:

  • Update Content-Security-Policy to permit blob: URLs for images only.

The changes allow for Blob-based images to be previewed or downloaded.
Other Blob types such as script-src are not permitted, mainly to prevent unwanted code execution via:

const blob = new Blob(['console.log(\'executed\')'], { type: 'application/javascript' });

By default, Helmet's CSP middleware allows "'self'", "data:" in img-src, see: https://github.com/helmetjs/helmet/blob/dd6e18f735d61248f654df3960da80db7fb2120a/middlewares/content-security-policy/index.ts#L63.

Do note that blob: URLs are entirely local to the browser. When you create a blob URL using URL.createObjectURL(blob), the browser generates an internal reference to an in-memory Blob or MediaSource object. It cannot be used to fetch resources from another website. For more information, please see the documentation: https://developer.mozilla.org/en-US/docs/Web/URI/Reference/Schemes/blob

@hehoon hehoon self-assigned this Dec 15, 2025
@hehoon hehoon requested a review from graduta as a code owner December 15, 2025 12:19
@hehoon hehoon mentioned this pull request Dec 15, 2025
Merged
5 tasks
@graduta graduta changed the title Allow blob: in img-src CSP [OGUI-1861] Allow blob: in img-src CSP Jan 7, 2026
@graduta graduta merged commit dd533f9 into dev Jan 7, 2026
14 checks passed
@graduta graduta deleted the improvement/FRM/allow-blob-img-src branch January 7, 2026 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@graduta graduta graduta approved these changes

Assignees

@hehoon hehoon

Labels

Backend Framework

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hehoon @graduta