Skip to content

csp: allow data: URLs in worker-src for web-forms#1776

Open
alxndrsn wants to merge 9 commits intogetodk:nextfrom
alxndrsn:web-forms-worker-src-data
Open

csp: allow data: URLs in worker-src for web-forms#1776
alxndrsn wants to merge 9 commits intogetodk:nextfrom
alxndrsn:web-forms-worker-src-data

Conversation

@alxndrsn
Copy link
Copy Markdown
Contributor

@alxndrsn alxndrsn commented Apr 8, 2026
edited
Loading

Closes #1775

What has been done to verify that this works as intended?

Added a test.

Why is this the best possible solution? Were any other approaches considered?

Maybe not a great solution - it seems unfortunate to need to loosen the CSP for feature detection.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

No effect.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

  • branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
  • verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

@alxndrsn alxndrsn marked this pull request as ready for review April 8, 2026 14:57
@matthew-white matthew-white linked an issue Apr 9, 2026 that may be closed by this pull request
CSP violation: worker-src data: in web-forms image size widget #1775
Open
@matthew-white matthew-white requested a review from lognaturel April 9, 2026 06:07
@lognaturel
Copy link
Copy Markdown
Member

lognaturel commented Apr 13, 2026

Do you remember what we have worker-src blob: for? If we already need to have that, adding data: doesn't seem worse but ideally we wouldn't need either. CC @garethbowen in case you have other ideas!

alxndrsn
alxndrsn commented Apr 14, 2026
View reviewed changes
Comment thread files/nginx/odk.conf.template Outdated
@alxndrsn
Copy link
Copy Markdown
Contributor Author

alxndrsn commented Apr 14, 2026

Do you remember what we have worker-src blob: for?

It was originally introduced for OpenLayers maps in:

It was then duplicated when enketo & web-forms CSPs were split in:

If we already need to have that, adding data: doesn't seem worse but ideally we wouldn't need either.

I think technically data: is less safe than blob:, as a data URL (data:) can be injected with only HTML or DOM manipulation, whereas an object URL (blob:) requires script injection.

Ideally we'd avoid both; adding blob: when data: is already listed should not be a significant increase in risk.

Ref:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lognaturel lognaturel Awaiting requested review from lognaturel

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CSP violation: worker-src data: in web-forms image size widget

2 participants

@alxndrsn @lognaturel