Fossil User Forum

Forum content security policy
Login

Forum content security policy

Forum content security policy

(1) By Marcio Gabe (marciogabe) on 2020-08-17 19:44:54 [source]

Hello all,

I was preparing a post for this Fossil support forum and wanted to add some small cropped screen shots (images) that would help explain the issue... then as I was previewing the post, the images would not show... just broken links icons in place of the images.

Apparently it's a policy set by Fossil about blocking content from different origin than Fossil's website, as explained in the links below:

Mozilla Content Security Policy

Another example

I was linking the pictures just as it's explained in the Markdown Formatting Rules, having them hosted on my company's website....

Apparently this is setup in the response headers that Fossil's website is returning or is not set at all, in wich case the browser is assuming default value of only allowing content to be loaded from the same origin.

Question is: Is there a way to circumvent that so I can make a post here along with the explaining pictures? Should/could I upload the images to a place were the origin is allowed?

Another question: Since I'm using a self hosted Fossil repository, will I have this problem in my own environment for users to add pictures to their posts? Is it configurable?

Thanks!.... and look forward to make my other post.... Fossil is great!

MG

(2) By Richard Hipp (drh) on 2020-08-17 19:54:23 in reply to 1 [link] [source]

Is there a way to circumvent that so I can make a post here along with the explaining pictures?

You can include a hyperlink to your pictures in the text, so that users can click on the hyperlink. But there is no way at this time to embed the pictures in your post, at this time, as we have that capability locked down for security reasons.

will I have this problem in my own environment for users to add pictures

Embedding external images is turned off by default, but you can turn it on for your own repositories. On the Admin/Settings page, there is a setting named "default-csp". You can put whatever content security policy you feel comfortable with in that setting. You can also do this from the command-line using the fossil setting command.

(4) By Marcio Gabe (marciogabe) on 2020-08-17 20:04:00 in reply to 2 [link] [source]

Wow, thank you soo much for this quick response!

I'll go ahead and post the original question I had... and will try to explain it as best as I can without the pictures... Well... since I already prepared the captures, maybe I'll post them as links then.

Let me just take the opportunity to say how much I appreciate all you do and that I'm not only a happy Fossil user, but I also advocate for it many times here in our working place. Having watched that video Git: Just Say No, I can just honestly say I'm a huge fan of Fossil and you!

Thanks again for all you do!

MG

(5) By Warren Young (wyoung) on 2020-08-17 20:06:15 in reply to 4 [link] [source]

will try to explain it as best as I can without the pictures... Well... since I already prepared the captures, maybe I'll post them as links then.

I've used imgur for that purpose.

Back on the topic, all of this is more fully explained in the docs.

(3) By Stephan Beal (stephan) on 2020-08-17 20:02:08 in reply to 1 [link] [source]

Question is: Is there a way to circumvent that so I can make a post here along with the explaining pictures?

Not inlined, no. What you're reporting is indeed by design,restricted by the CSP. You are welcomed to post links to the images but they won't be visible if embedded.

Should/could I upload the images to a place were the origin is allowed?

Images checked in to the forum's repository will show up just fine, as the CSP restricts content to the same origin, but this particular repo is forum-only with no files.

Another question: Since I'm using a self hosted Fossil repository, will I have this problem in my own environment for users to add pictures to their posts? Is it configurable?

You will and it is: look for the CSP configuration (i forget which admin page it's under and am on a tablet so won't go dig it out right this minute). That won't allow them to attach pictures, but will allow them to embed remote images or images checked in to that same repository.