CSP Violation

[mightycoco]

OC 8.1 (TSL connection)
Googlew Chrome 43
Firefox 38
Windows 8.1

When trying to open an folder with images, the thumbanils are not loaded. Looking at the debugger, for each inline-thumbnail there is a CSP Violation:

Refused to load the image 'data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD//gA+Q1JFQVRPUjogZ2QtanBl…vAd6l8E8ZIHHtRRUvYpbnd5DHjkUtFFYmoUE0UUDG1nsuZ5D70UVM9io7kZyDyKKKKwNT/2Q==' because it violates the following Content Security Policy directive: "img-src 'self'".

According to the CSP Spec, the site shoudl specify a meta-tag to indicate data: sources specify an actual data segment.

The page should have following meta-tag in the header to allow inline image data.

<head>
...
<meta http-equiv="Content-Security-Policy" content="img-src 'self' data:;" />
...
</head>

[LukasReschke]

@oparoz Can be easily fixed by adjusting the policy and also allow "data:"

[oparoz]

The policy is already there
Content-Security-Policy:"default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *; connect-src *"

2 possibilities

• The cache has not been refreshed and files of the old version are being served on 8.1, which is not going to work or
• the wrong version got installed.

@mightycoco - Could you check apps/galleryplus/appinfo/info.xml to see if it's the version for 8.1?
If it is, please do a CTRL+F5

If it still doesn't work, I'll need to thumbnail URL, something like:
thumbnails?ids=171421%3B171389%3B171388%3B171373&scale=1&square=0&requesttoken=ohGsUBM72XTMcvYQd6pUdV%2B%2FhPRQt0

[mightycoco]

Aha! there must have been something with the cache. Doing a CTRL-R gives the correct CSP header with img-src * instead of img-src 'self'!

[oparoz]

OK, thanks for confirming :)