- πΊπΈUnited States brad.bulger
I am seeing a bunch of entries saying the img-src directive was violated reporting blocked-uri as "data" - the literal word
is that this same issue - that this is somehow what was in the request?
- π³πΏNew Zealand jweowu
That sounds like https://stackoverflow.com/questions/18447970
I.e. you want to add
data:with the trailing colon as one of your permittedimg-srcvalues. - πΊπΈUnited States brad.bulger
When the blocked-uri value is just "data" or "blob" - not "data:" - I don't know if that is supposed to be a hostname or if it is in fact the schema of that name. If blocked-uri should always be a URI - always have a schema - I guess that would tell me.
This is information coming from the requester, is that correct? It's what's in the HTTP request from the client?
- π³πΏNew Zealand jweowu
> This is information coming from the requester, is that correct? It's what's in the HTTP request from the client?
Correct. The web site merely tells the user agent what the rules are, but it's the user agent which enforces the rules (and optionally reports any would-be violations that it suppressed). Drupal is then logging the content of the violation-report requests.