Stuck on “Loading …”

  • Resolved bviktor

    (@bviktor)


    2 months, 2 weeks ago

    So the other topics are closed, because reasons.

    I figured out what the issue was: CSP. Apparently the plugin tries to construct a blob:

    Content-Security-Policy: The page’s settings blocked a worker script (worker-src) at blob:https://noobient.com/3221e2c3-6fcd-49c2-a84a-8bfb57fd32d1 from being executed because it violates the following directive: “default-src https: 'unsafe-inline' 'unsafe-eval'”

    And the relevant code appears to be “new window.Blob” in jstree.js.

    Please adjust this code to not use blobs if possible, so that we can use more secure settings for CSP.

    Currently something like this should be a working workaround:

    worker-src blob:

    Preferably, the plugin should also restrict itself to the “wp-content/uploads” dir, because I don’t see any reason why not to. I don’t want this plugin to touch other plugins’ assets, themes, or anything, only uploaded images. Would be faster, less error prone, and more secure.

Viewing 1 replies (of 1 total)
  • Plugin Author kubiq

    (@kubiq)

    1 month ago

    Hello,

    that’s just a jQuery library for rendering that directory tree. Honestly ´, I’ve never investigated it so deeply and I don’t know why it uses blob, but there will be some reason for that I guess.

    I will take a note about this and maybe when I will have more time I can try to replace this library with another one without blobs.

    Your workaround sounds good, or you can also try something like worker-src https://noobient.com; but in general, that sounds like a very strict policies setup, so I guess you probably need to play with such a things from time to time.

    Convertor is not restricted only on wp-content/uploads, because people want to optimize also assets from themes, plugins and sometimes they use some crazy setups where uploads are in the root etc… it’s not perfect, but I had a lot of request about this actually.

    Thanks for your time and have a nice day 😉

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.

  • 1 reply
  • 2 participants
  • Last reply from: kubiq
  • Last activity: 1 month ago
  • Status: resolved