When I attempt to display a base64 string image (returned in the response) in the Handlebars template when using the Visualize API I receive the following error.
Refused to load the image ‘data:image/JPG;base64,Base64StringHere’ because it violates the following Content Security Policy directive: “img-src http: https:”.
I would love to see this too. I’ve tried setting via javascript and I’ve tried removing the meta tag which sets the policy with javascript to no avail. Would be nice if the meta tag was gone altogether or at least has the “img-src * data:” setting as mentioned above.
Hi @ddMypostman@rforb, I don’t see any reason why we cannot allow this. If we don’t find any grave security concerns from our security team, we would enable this in the subsequent app release.
@rforb The meta tags are like the necessary evils which have been added for security reasons. If not set properly any 3rd part library you load from CDN has the potential to read any file on your system.
The meta tags are like the necessary evils which have been added for security reasons. If not set properly any 3rd part library you load from CDN has the potential to read any file on your system.
Oh wow I didn’t know this was the case. I assumed the browser should protect against any script regardless of SCP from breaking out of its sandbox.
@ddMypostman the CSP meta tags cannot be removed because of the security implications. But the feature request for allowing data-uri is under security review now and if it gets accepted will be out soon.
@rforb The visualizer uses nested web-view internally and as such do not provide any security unless configured with proper CSP.
@ddMypostman@rforb@quanganhdo We are rolling out v7.11.0 which allows usage of data URIs for images in Visualizer. Once you get the update, can you retry your visualizer scripts, and let us know if it works now?
