Remove Data URLs from code · josdejong/jsoneditor#1418

(5 comments) (0 reactions) (0 assignees)JavaScript (10,781 stars) (2,034 forks)batch import

featurehelp wanted

Description

In this piece of code a data URL is used:

https://github.com/josdejong/jsoneditor/blob/e69a835f721bab6824b65f3d13717a20ff7d81f7/src/js/ace/theme-jsoneditor.js#L138

This requires applications using Content Security Policy directives with full restrictions to allow data: as described here and here.

https://security.stackexchange.com/questions/94993/is-including-the-data-scheme-in-your-content-security-policy-safe discusses if data: is safe or not. One answer suggests it has never been proven to be unsafe, even though multiple articles mentions it is.

To be better safe than sorry many applications forbid data: and only allow the 'self' as the CSP source.

Would it be possible to put the SVG in an external file and instead bundle it that way? I.e. as a real URL to the .svg. It's also nice in the sense that users can actually open the SVG in the src in this repo to see what it looks like 😄

Contributor guide

Tech stack: javascripthtmlcss
Domain: frontendsecurity
Issue type: refactor
Difficulty: 2
Estimated time: 1-3 hours
Activity status: active
Clarity: clear
Prerequisites: JavaScriptbuild system basics
Newbie friendliness: 85
Research direction: The main file to modify is `src/js/ace/theme jsoneditor.js` (line 138). Create a separate SVG file (e.g., `src/img/jsoneditor logo.svg`) with the content from the data URL. Then, import the SVG file in the theme file and update the reference to use the imported path instead of the data URL. Ensure the SVG is included in the build output (e.g., via webpack file loader or asset modules) and verify that the project's CSP no longer requires `data:`.