🏠 back to Observable

Content-Security-Policy: duplicate URI for img-src

When accessing a notebook page (e.g. @tmcw/module-require-debugger) the img-src directive in the Content-Security-Policy header repeats the URL https://static.observableusercontent.com twice. This might indicate a bug, as e.g. frame-src also lists https://*.static.observableusercontent.com, which is missing from img-src.

All directives for the example link:

default-src 'self' https://api.observablehq.com https://static.observableusercontent.com https://tmcw.static.observableusercontent.com;
connect-src https://api.observablehq.com wss://ws.observablehq.com https://connector.observableusercontent.com https://www.google-analytics.com https://checkout.stripe.com;
font-src 'none';
frame-ancestors 'none';
frame-src https://*.static.observableusercontent.com https://static.observableusercontent.com https://checkout.stripe.com data: blob:;
img-src https://static.observableusercontent.com https://static.observablehq.com https://static.observablehq.com https://*.githubusercontent.com https://*.stripe.com https://avatars.observableusercontent.com https://www.google-analytics.com data: blob:;
manifest-src 'none';
media-src 'none';
object-src 'none';
prefetch-src https://api.observablehq.com https://*.static.observableusercontent.com https://static.observableusercontent.com https://tmcw.static.observableusercontent.com;
script-src https://static.observablehq.com https://www.google-analytics.com https://checkout.stripe.com 'sha256-ejNFw8OWeqK4msja7DzrFHtVgd9bNQPmWaI1bmZJV2U=' 'sha256-9sXPIN9u6mwFn28E0B3jX7FUr/Jswayo8yNyp7IdyZg=';
style-src https://static.observablehq.com 'unsafe-inline';
worker-src 'none'
2 Likes

This is fixed!

The root cause was some refactoring of how we handle origin configuration of our development, staging, and production environments. Specifically, in development the duplicate origins you were seeing were actually two distinct origins.