Reputation: 1649
Images not displayed for many Github sites (Content Security Policy)
I experience a multitude of Github sites where the embedded images are not shown. By page inspection i get:
Examples:
Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com".
Refused to load the image 'https://raw.githubusercontent.com.x.f7905b88047890475409fdb099cfa2fdcd23.9270fc5e.id.opendns.com/s/raw.githubusercontent.com/othneildrew/Best-README-Template/master/images/screenshot.png?X-OpenDNS-Session=_f7905b88047890475409fdb099cfa2fdcd239270fc5e_tzftKMMb_' because it violates the following Content Security Policy directive: "img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com".
The following pages works fine: Vue, Tensorflow, FreeCodeCamp.
Above is for Chrome, but same issue for Edge. I only see these issues on my corporate PC (even outside the corporate VPN).
- Which security policies cause this? (Browser settings, firewall/antivirus?)
- Why are some pages failing why other are not?
- Does the failing sites actually cause a security risk (such as XSS), and should there be opened issues against the failing Github sites or Github in general?
Upvotes: 2
Views: 1215
Answers (2)
Reputation: 4639
You'll have to verify that this does not violate any IT policies at your company but adding a line like
185.199.108.133 raw.githubusercontent.com
to "C:\Windows\System32\drivers\etc\hosts" may fix it
Upvotes: 2
Reputation: 3475
You are not loading your images from raw.githubusercontent.com but from raw.githubusercontent.com.x.f7905b88047890475409fdb099cfa2fdcd23.9270fc5e.id.opendns.com. It could be that your corporate PC does some rewrites to filter images through opendns.com. You would likely need to add "*.id.opendns.com" or "*.opendns.com" to img-src to work in this specific environment.
If you monitor CSP reports you will see that corporate security products often makes modifications that causes CSP violations.
Upvotes: 3
Related Questions
- GitHub README Images Broken - "violates the following Content Security Policy directive: "img-src 'self'"
- images show up locally but not on github pages
- Images aren't displaying on github pages
- cannot see images in site hosted in github
- HTML/ GitHub Hosted Website, jpg images not showing up
- Github pages not displaying images
- Image does not load on site hosted on Github
- Github pages doesn't show images on my website
- Github pages not showing images
- Images aren't loading online on my GitHub web page