File: crates/web/index.html:28, crates/web/src/components/message.rs:974-977
Severity: security
Obvious? no
CSP img-src 'self' data: blob: does NOT include https:. Code at crates/web/src/components/message.rs:974-977 renders external image URLs from chat messages via <img src=url /> (is_image_url() filters only https:///http:// schemes). Recent fix #243 added referrerpolicy="no-referrer" to these embeds — implying intent to allow external images — but CSP blocks them. Either the auto-embed silently fails in production (UX bug + #243 work was effectively dead), or CSP must add https: to img-src.
Fix: verify behavior in browser; if external images are intended, append https: to img-src. If not, remove the auto-embed code path.
Filed by /general-audit @ 6404719 (2026-05-03). master: #567.
File:
crates/web/index.html:28,crates/web/src/components/message.rs:974-977Severity: security
Obvious? no
CSP
img-src 'self' data: blob:does NOT includehttps:. Code atcrates/web/src/components/message.rs:974-977renders external image URLs from chat messages via<img src=url />(is_image_url()filters onlyhttps:///http://schemes). Recent fix #243 addedreferrerpolicy="no-referrer"to these embeds — implying intent to allow external images — but CSP blocks them. Either the auto-embed silently fails in production (UX bug + #243 work was effectively dead), or CSP must addhttps:toimg-src.Fix: verify behavior in browser; if external images are intended, append
https:toimg-src. If not, remove the auto-embed code path.Filed by
/general-audit@6404719(2026-05-03). master: #567.