Image/File uploads being blocked due to CSP
See original GitHub issueAknowledgements
-
I have checked that there’s no other issue describing the same or similar problem that I currently have, regardless if it has been closed or open.
-
I can confirm that this is not an issue with the Discord website, but it is a problem specific to the WebCord itself. I have tested if this bug occurs on Chromium/Chrome or any other Chromium-based browser that uses unpatched/upstream Chromium engine.
-
I have tried running the build from the
master
branch and it does not have any fixes implemented according to my issue. -
My issue describes one of the unstable and/or not fully implemented features.
-
I have found a workaround to mitigate or temporarily fix this issue in affected releases (please write it in Additional context section below).
Operating System / Platform
🐧️ Linux
Operating system architecture
x64 (64-bit Intel/AMD)
Electron version
v19.0.5
Application version
v3.5.0(devel)
Bug description
Attempting to simply upload a file(for eg a screenshot) leads to an “Upload failed” popup. Upon checking in Chrome Devtools, there is a CSP error
af1ab6639961ea88c5c7.js:128 Refused to connect to 'https://discord-attachments-uploads-prd.storage.googleapis.com/XXXX-XXXX-XXXX-XXXX-XXXX/unknown.png?upload_id=XXXX-XXXX' because it violates the following Content Security Policy directive: "connect-src 'self' https://status.discordapp.com https://status.discord.com https://discordapp.com https://discord.com https://cdn.discordapp.com https://media.discordapp.net https://router.discordapp.net wss://*.discord.gg https://best.discord.media https://latency.discord.media wss://*.discord.media wss://dealer.spotify.com https://api.spotify.com https://*.hcaptcha.com https://hcaptcha.com https://*.googlevideo.com https://api.twitter.com/1.1/guest/activate.json https://api.twitter.com/1.1/videos/tweet/config/ https://video.twimg.com/ext_tw_video/ https://api.twitch.tv/v5/channels/ https://gql.twitch.tv/gql https://spade.twitch.tv/track https://static.twitchcdn.net/assets/ https://usher.ttvnw.net/api/channel/hls/ https://*.hls.ttvnw.net/v1/playlist/ https://*.hls.ttvnw.net/v1/segment/ https://fresnel.vimeocdn.com/add/ https://24vod-adaptive.akamaized.net/ https://*.algolianet.com https://*.algolia.net https://v.redd.it".
Additional context
Issue Analytics
- State:
- Created a year ago
- Comments:12 (6 by maintainers)
Top GitHub Comments
File > Settings > Advanced > Content Security Policy > Uncheck “Use built-in Content Security Policy”
Oh, I’ll just probably add a CSP entry for Google, right now you can disable WebCord’s CSP if you need to upload files and in the next update it should be fixed… I forgot about this, so it won’t make it to
3.5.1
.