Remove Data URLs from code · josdejong/jsoneditor#1418

(5 comments) (0 reactions) (0 assignees)JavaScript (10,781 stars) (2,034 forks)batch import

featurehelp wanted

説明

In this piece of code a data URL is used:

https://github.com/josdejong/jsoneditor/blob/e69a835f721bab6824b65f3d13717a20ff7d81f7/src/js/ace/theme-jsoneditor.js#L138

This requires applications using Content Security Policy directives with full restrictions to allow data: as described here and here.

https://security.stackexchange.com/questions/94993/is-including-the-data-scheme-in-your-content-security-policy-safe discusses if data: is safe or not. One answer suggests it has never been proven to be unsafe, even though multiple articles mentions it is.

To be better safe than sorry many applications forbid data: and only allow the 'self' as the CSP source.

Would it be possible to put the SVG in an external file and instead bundle it that way? I.e. as a real URL to the .svg. It's also nice in the sense that users can actually open the SVG in the src in this repo to see what it looks like 😄

コントリビューターガイド

技術スタック: javascripthtmlcss
領域: frontendsecurity
Issue 種別: refactor
難度: 2
推定時間: 1-3 hours
活動状況: active
明確さ: clear
前提条件: JavaScriptbuild system basics
初心者向け度: 85
調査方針: The main file to modify is `src/js/ace/theme jsoneditor.js` (line 138). Create a separate SVG file (e.g., `src/img/jsoneditor logo.svg`) with the content from the data URL. Then, import the SVG file in the theme file and update the reference to use the imported path instead of the data URL. Ensure the SVG is included in the build output (e.g., via webpack file loader or asset modules) and verify that the project's CSP no longer requires `data:`.