Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UI: Load svgs from files instead of from data tags #914

Merged
merged 2 commits into from
Jan 20, 2025
Merged

UI: Load svgs from files instead of from data tags #914

merged 2 commits into from
Jan 20, 2025

Conversation

viktorerlingsson
Copy link
Member

@viktorerlingsson viktorerlingsson commented Jan 17, 2025
edited
Loading

WHAT is this pull request doing?

Load svg's from files instead of from data-tag to abide by Content Security Policy.

Fixes console error:

Refused to load the image 'data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 20 20'%3e%3cpath stroke='%23f7f5f2' stroke-linecap='round' stroke-linejoin='round' stroke-width='1.5' d='M6 8l4 4 4-4'/%3e%3c/svg%3e' because it violates the following Content Security Policy directive: "img-src 'self'".

HOW can this pull request be tested?

Start LavinMQ, make sure the arrow in the vhost dropdown is shown. And usermenu button in mobile.

image

@viktorerlingsson viktorerlingsson requested a review from a team as a code owner January 17, 2025 14:32
@ThomasSarlin
Copy link

Shouldn't the same error appear due to this line? :)

lavinmq/static/main.css

Line 1919 in fb03806

content: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none'%3E%3Cpath d='M20 21V19C20 17.9391 19.5786 16.9217 18.8284 16.1716C18.0783 15.4214 17.0609 15 16 15H8C6.93913 15 5.92172 15.4214 5.17157 16.1716C4.42143 16.9217 4 17.9391 4 19V21' stroke='%23F7F5F2' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3Cpath d='M12 11C14.2091 11 16 9.20914 16 7C16 4.79086 14.2091 3 12 3C9.79086 3 8 4.79086 8 7C8 9.20914 9.79086 11 12 11Z' stroke='%23F7F5F2' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E");

@viktorerlingsson
Copy link
Member Author

Shouldn't the same error appear due to this line? :)

lavinmq/static/main.css

Line 1919 in fb03806

content: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none'%3E%3Cpath d='M20 21V19C20 17.9391 19.5786 16.9217 18.8284 16.1716C18.0783 15.4214 17.0609 15 16 15H8C6.93913 15 5.92172 15.4214 5.17157 16.1716C4.42143 16.9217 4 17.9391 4 19V21' stroke='%23F7F5F2' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3Cpath d='M12 11C14.2091 11 16 9.20914 16 7C16 4.79086 14.2091 3 12 3C9.79086 3 8 4.79086 8 7C8 9.20914 9.79086 11 12 11Z' stroke='%23F7F5F2' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E");

Hmm, yes, sort of. But that is never loaded because #usermenu-button is display:none, so there's no error. Maybe that can just be removed then @bengtmagnus ?

@carlhoerberg
Copy link
Member

carlhoerberg commented Jan 17, 2025
edited
Loading

An alternative could be to modify the CSP: Content-Security-Policy: img-src data: avoids a http request for a tiny svg, but might have other downsides..

@viktorerlingsson
Copy link
Member Author

An alternative could be to modify the CSP: Content-Security-Policy: img-src data: avoids a http request for a tiny svg, but might have other downsides..

Yeah, I think allowing data: might increase the risks for some XSS, so this felt like the safest option.

@carlhoerberg
Copy link
Member

A third alternative could be to replace it with a utf8 character, if there's one similar enough

@carlhoerberg
Copy link
Member

Eg. ˅ ("\u{2c5}")

carlhoerberg
carlhoerberg approved these changes Jan 19, 2025
View reviewed changes
Copy link
Member

@carlhoerberg carlhoerberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good! But let's fix all content: url() in the css as @ThomasSarlin mentioned while we're at it.

@bengtmagnus
Copy link
Contributor

Yes! The #usermenu-button is because it is only visible on mobile. I can check and fix them all 👍

@viktorerlingsson viktorerlingsson changed the title UI: Load img from file instead of from a data tag UI: Load svgs from files instead of from data tags Jan 20, 2025
@viktorerlingsson viktorerlingsson merged commit 6bd90cf into main Jan 20, 2025
23 of 25 checks passed
@viktorerlingsson viktorerlingsson deleted the gui-arrow-svg branch January 20, 2025 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carlhoerberg carlhoerberg carlhoerberg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@viktorerlingsson @ThomasSarlin @carlhoerberg @bengtmagnus