Images not displayed for many Github sites (Content Security Policy)

Question

I experience a multitude of Github sites where the embedded images are not shown. By page inspection i get:

Examples:

kafdrop

Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com".

Best README Template

Refused to load the image 'https://raw.githubusercontent.com.x.f7905b88047890475409fdb099cfa2fdcd23.9270fc5e.id.opendns.com/s/raw.githubusercontent.com/othneildrew/Best-README-Template/master/images/screenshot.png?X-OpenDNS-Session=_f7905b88047890475409fdb099cfa2fdcd239270fc5e_tzftKMMb_' because it violates the following Content Security Policy directive: "img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com".

The following pages works fine: Vue, Tensorflow, FreeCodeCamp.

Above is for Chrome, but same issue for Edge. I only see these issues on my corporate PC (even outside the corporate VPN).

• Which security policies cause this? (Browser settings, firewall/antivirus?)
• Why are some pages failing why other are not?
• Does the failing sites actually cause a security risk (such as XSS), and should there be opened issues against the failing Github sites or Github in general?

Answer 1

You are not loading your images from raw.githubusercontent.com but from raw.githubusercontent.com.x.f7905b88047890475409fdb099cfa2fdcd23.9270fc5e.id.opendns.com. It could be that your corporate PC does some rewrites to filter images through opendns.com. You would likely need to add "*.id.opendns.com" or "*.opendns.com" to img-src to work in this specific environment.

If you monitor CSP reports you will see that corporate security products often makes modifications that causes CSP violations.