Description
Our current set of CSP rules doesn't allow pasting image sources as external URLs into a markdown file. This feels like a bug and we should improve it. At the same time we don't want to open an attack vector for XSS attacks, tracking etc via malicious images.
User Stories
-
As a user writing markdown files, I want to paste external image urls and have a rendered preview so that I don't need to bloat the file size of my markdown file.
-
As an admin I want to protect my users from XSS attacks and tracking via external image urls so that I sleep well.
Value
External images in markdown files.
Acceptance Criteria
- Pasting a URL to an external image source leads to the image being rendered in the web ui
- Downloading the markdown file doesn't break the image rendering in a locally installed editor/viewer
- Uploading a markdown file with external image sources leads to the images being rendered in the web ui
- The thumbnailer accepts external image URLs as input
- The image is served via an internal (own) URL
- The output is XSS-safe, i.e. sanitized and free of malicious code
note: a CSP rule of img-src: * makes all of this possible but is considered dangerous. Hence we need another solution.
Definition of ready
Definition of done
- Functional requirements
- Quality
- Non-functional requirements
- Configuration changes
Description
Our current set of CSP rules doesn't allow pasting image sources as external URLs into a markdown file. This feels like a bug and we should improve it. At the same time we don't want to open an attack vector for XSS attacks, tracking etc via malicious images.
User Stories
Value
External images in markdown files.
Acceptance Criteria
note: a CSP rule of
img-src: *makes all of this possible but is considered dangerous. Hence we need another solution.Definition of ready
Definition of done