Hello all,
I am trying to show avatar image for my users (assignee, etc) and for that I am using link returned by the REST API (issue search). I am not able to use any image with warning in my forge tunnel
console window:
CSP violation detected for ‘img-src’ while serving content at http://localhost:8002/
For an app to share data with external resources or use custom CSP, follow the steps in: http://go.atlassian.com/forge-content-security-and-egress-controls
What I tried already: add safe.gravatar.com
to the permissions.external.images
part of my manifest file, then forge deploy
, forge install --upgrade
– both several times.
I’ve also noticed that gravatar site is mentioned in the headers automatically, see mine:
Content-Security-Policy
default-src 'self'; frame-ancestors 'self' *.atlassian.net; img-src 'self' data: blob: https://secure.gravatar.com https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net https://api.atlassian.com *.my.external.site.lorem.ipsup.org; media-src 'self' data: blob:; connect-src 'self'; script-src 'self' https://forge.cdn.prod.atlassian-dev.net 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; sandbox allow-downloads allow-forms allow-modals allow-same-origin allow-scripts; report-uri http://localhost:8003
Well, obviously the secure.gravatar.com site is not the root of the problem. Then I have noticed that my avatars does not exist, i.e. gravatar.com site returned 302 status code with a new location *.wp.com. After adding *.wp.com
to the permissions.external.images
avatars are magically working correctly.
Update: ‘my avatars does not exist’ means that I didn’t upload any avatar for my users, and the generic one with first letter of name/surname is used instead.
Maybe this post will save your time (I’ve spend quite a lot with this simpletrifle…) or maybe you, Atlassian guys, can update the defaults and allow automatically all sites which can be used for avatars (URLs returned from your REST API, not some weird third party avatars).