Comments (3)
ganigeorgiev
commented on June 11, 2024
Loading external resources in the Admin UI are not allowed for security reasons by the default Content security policy (CSP).
I'll think a little more on it later this week as I'm not sure what would be the best course of action here (adding exception for common websites vs enable all external iframes/images, add flag to change the csp, etc.).
from pocketbase.
ganigeorgiev
commented on June 11, 2024
After some more thought I decided to leave it as it is as I don't feel it is worth the risk allowing by default loading external media sources especially in the TinyMCE preview editor (see TinyMCE vulnerability fixes).
Technically loading external img-src is not a vulnerability vector on its own as the src in our cases is not allowed to be executed as JS but if the content of the field could be updated by non-admin users it could be used to try to find/track the admin IP or try to break/block the PocketBaser Admin UI in case the browser attempts to render 500MB remote img file.
For the iframe the situation is slightly more different but it too comes with some security concerns depending on where the user controlled iframe src is pointing to.
So for now I'll close the issue and classify it as a "known limitation" but with the refactoring I'll consider at least allowing users to overwrite the default CSP.
from pocketbase.
ganigeorgiev
commented on June 11, 2024
Side-note: In the future we'll replace TinyMCE entirely due to its recent v7 license change - tinymce/tinymce#9496.
from pocketbase.
Related Issues (20)
- net::ERR_QUIC_PROTOCOL_ERROR HOT 1
- Create duplicate record HOT 3
- Issue: authStore.isValid is randomly false
- Bug? - View collection SQL error "Must be in valid format" HOT 2
- Feature request: Admin UI - hide/censor content - field option HOT 3
- Feature Request: Add "All/None" operator variants HOT 1
- Invalid or expired verification token HOT 3
- cronRemove cannot be called from inside a job in JavaScript HOT 2
- `$os.readFile` and `$os.getwd` use `/` as working directory in production enviroment HOT 4
- Feature Request: is there is any way to make our own Custome storage system. HOT 1
- Proposal: Switch to LumoSQL HOT 1
- Issue with Hour Field Not Triggering in CronJob Registration HOT 1
- Querying Auth Record from a PB Hook does not return the email field, if the user has emailVisibility set to false HOT 1
- Extending with JS: Object access within DynamicModel not ergonomic? HOT 2
- How to expand ModelQuery results?
- JSON fields not showing in admin item drill-down HOT 2
- Problem with operator: `?=` HOT 2
- Admin interface loads slowly because of the created field HOT 1
- How can I filter a date using the equal = operator ? HOT 2
- Is it possible to clear out all records leaving the structure intact?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pocketbase.