CSP Errors on Cropped Images - but only in Firefox and Safari
I have a CSP in my site and it works fine in Chrome and Edge. However in Safari and Firefox I am getting CSP for images that have image cropper parameters in the url (e.g. image.png?width=100&height=60).
The site uses Azure blob storage to store images and the error message is along the lines of:
I suspect the issue may have something to do with it using the http protocol when accessing the cached image but I have set umbracoUseSSL to true and the AzureUmbracoBlobStorageRootUrl uses the https protocol as does the AzureUmbracoBlobStorageConnectionString in web.config.
I even deleted the cache folders in blob storage in the hope that rebuilding the images would fix this but no joy.
Any help on this would be much appreciated - it is very frustrating that the CSP works in some browsers but not others.
I'm by no means an expert on blob storage, but did you check if your blob storage actually accepts https connections? I don't know what default behaviour is, but perhaps the blob storage redirects to http itself?
If you look at the generated source in your browser dev tools (or redirect, I believe images are redirected by the image cropper). Does it have https as protocol? or do you go straight to http?
You could also try search through your source, see if you've missed any configurations. In visual studio you'd press ctrl+shift+F to search through all your files.
It was as you suggested in some config file. So although in web.config the protocols were https, in imageprocessor/cache.config and imageprocessor/security.config the protocols were just http.
I also made sure that my blob storage only allowed requests via https.
If you could spare a second, perhaps you could mark your question as solved. That way, everyone can see that you've solved your problem. It'll be helpful for people with the same problem.
CSP Errors on Cropped Images - but only in Firefox and Safari
I have a CSP in my site and it works fine in Chrome and Edge. However in Safari and Firefox I am getting CSP for images that have image cropper parameters in the url (e.g. image.png?width=100&height=60).
The site uses Azure blob storage to store images and the error message is along the lines of:
Content Security Policy: The page's settings blocked the loading of a resource at http://mysite.blob.core.windows.net/cache/d/4/3/6/a/3/b146a3e5010535e44459afe6e0b761c9d1486f36.png ("img-src").
I suspect the issue may have something to do with it using the http protocol when accessing the cached image but I have set umbracoUseSSL to true and the AzureUmbracoBlobStorageRootUrl uses the https protocol as does the AzureUmbracoBlobStorageConnectionString in web.config.
I even deleted the cache folders in blob storage in the hope that rebuilding the images would fix this but no joy.
Any help on this would be much appreciated - it is very frustrating that the CSP works in some browsers but not others.
Hi Tracey,
I'm by no means an expert on blob storage, but did you check if your blob storage actually accepts https connections? I don't know what default behaviour is, but perhaps the blob storage redirects to http itself?
If you look at the generated source in your browser dev tools (or redirect, I believe images are redirected by the image cropper). Does it have https as protocol? or do you go straight to http?
You could also try search through your source, see if you've missed any configurations. In visual studio you'd press
ctrl
+shift
+F
to search through all your files.Thanks so much for your response Dennis.
It was as you suggested in some config file. So although in web.config the protocols were https, in imageprocessor/cache.config and imageprocessor/security.config the protocols were just http.
I also made sure that my blob storage only allowed requests via https.
Really appreciate your help with this :)
That's very nice to hear Tracey!
If you could spare a second, perhaps you could mark your question as solved. That way, everyone can see that you've solved your problem. It'll be helpful for people with the same problem.
Done.
Thanks Dennis
is working on a reply...