CSP Breaking Gravatar?

security

(John) #1

Looks like one of the more recent updates broke the Gravatar. Chrome is showing a CSP error on that image. Currently 2018.3.1. Don’t see it in the release notes for .2 or .3.

2018-03-12_10-53-47


(Michael Noonan) #3

Hi John,

Thanks for getting in touch! You’re right, the CSP is kicking in and denying that image. We set our CSP to allow images from the same origin as the web page, and from https://www.gravatar.com.

img-src data: https://www.gravatar.com 'self';

In this case the gravatar URL looks like it’s being rewritten from https://www.gravatar.com to go via https://gateway.zscloud.net. This is what seems to be upsetting the browser. Perhaps this is a proxy in your network?

Can you investigate and get back to me?

At this point I don’t think it’s a problem in Octopus Server itself.

Depending on your findings, one way to work around this kind of situation may be to let you define a custom CSP, but that could be brittle or create a security problem. At this point we don’t have plans to let people customise the CSP used by Octopus, but in your situation it may be one way to work around the problem.

Hope that helps!
Mike


(John) #4

Ahh. I should have caught that. This is very likely because of our internet gateway. I’ll look into this internally. Thanks!


(Michael Noonan) #5

Hi John,

Thanks for keeping in touch! All the best on your hunt!
Mike