Content-Security-Policy: duplicate URI for img-src

When accessing a notebook page (e.g. @tmcw/module-require-debugger) the img-src directive in the Content-Security-Policy header repeats the URL twice. This might indicate a bug, as e.g. frame-src also lists https://*, which is missing from img-src.

All directives for the example link:

default-src 'self';
connect-src wss://;
font-src 'none';
frame-ancestors 'none';
frame-src https://* data: blob:;
img-src https://* https://* data: blob:;
manifest-src 'none';
media-src 'none';
object-src 'none';
prefetch-src https://*;
script-src 'sha256-ejNFw8OWeqK4msja7DzrFHtVgd9bNQPmWaI1bmZJV2U=' 'sha256-9sXPIN9u6mwFn28E0B3jX7FUr/Jswayo8yNyp7IdyZg=';
style-src 'unsafe-inline';
worker-src 'none'

This is fixed!

The root cause was some refactoring of how we handle origin configuration of our development, staging, and production environments. Specifically, in development the duplicate origins you were seeing were actually two distinct origins.

1 Like