Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
215 views
in Technique[技术] by (71.8m points)

Images not displayed for many Github sites (Content Security Policy)

I experience a multitude of Github sites where the embedded images are not shown. By page inspection i get:

Examples:

kafdrop

Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com".

Best README Template

Refused to load the image 'https://raw.githubusercontent.com.x.f7905b88047890475409fdb099cfa2fdcd23.9270fc5e.id.opendns.com/s/raw.githubusercontent.com/othneildrew/Best-README-Template/master/images/screenshot.png?X-OpenDNS-Session=_f7905b88047890475409fdb099cfa2fdcd239270fc5e_tzftKMMb_' because it violates the following Content Security Policy directive: "img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com".

The following pages works fine: Vue, Tensorflow, FreeCodeCamp.

Above is for Chrome, but same issue for Edge. I only see these issues on my corporate PC (even outside the corporate VPN).

  • Which security policies cause this? (Browser settings, firewall/antivirus?)
  • Why are some pages failing why other are not?
  • Does the failing sites actually cause a security risk (such as XSS), and should there be opened issues against the failing Github sites or Github in general?
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You are not loading your images from raw.githubusercontent.com but from raw.githubusercontent.com.x.f7905b88047890475409fdb099cfa2fdcd23.9270fc5e.id.opendns.com. It could be that your corporate PC does some rewrites to filter images through opendns.com. You would likely need to add "*.id.opendns.com" or "*.opendns.com" to img-src to work in this specific environment.

If you monitor CSP reports you will see that corporate security products often makes modifications that causes CSP violations.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...