Odd Impact of Content Security Policy on NGG | WordPress.org

Resolved ispreview
(@ispreview)

3 years, 3 months ago
Recently we’ve been experimenting with different ‘Content Security Policies’ on the server, but we’ve found that even with one of the weakest there seems to be an unusual outcome for NextGen Gallery. For example using a CSP like this, which is about as soft as you can get..

Content-Security-Policy: default-src * data:; script-src https: ‘unsafe-inline’ ‘unsafe-eval’; style-src https: ‘unsafe-inline’;

..means that when you go to ‘Add Gallery / Images’ and select an image to add then you will only see the default (general) thumbnail for the system rather than a thumbnail of the actual selected image itself in the pre-upload preview (i.e. this is just before you press the ‘Upload 1 Image’ button to finish, when the images you’ve chosen to upload are all listed but not yet uploaded).

I can’t figure out why the CSP would be stopping the preview images from showing properly. Any ideas?

The images are fine once they’re uploaded, but it’s just in the preview stage where this occurs.
- This topic was modified 3 years, 3 months ago by ispreview.

Viewing 1 replies (of 1 total)

Benjamin
(@benjaminowens)

3 years, 3 months ago

You may need to add img-src as well to your Content-Security-Policy:

img-src https: filesystem: 'unsafe-inline'

Viewing 1 replies (of 1 total)

The topic ‘Odd Impact of Content Security Policy on NGG’ is closed to new replies.

In: Plugins
1 reply
2 participants
Last reply from: Benjamin
Last activity: 3 years, 3 months ago
Status: resolved