CSP img-src add https: only, no http:, per #584 fix 39a9f1d. Reason: http: image fetch on https page = mixed-content downgrade.
But extract_urls (crates/web/src/components/message.rs:112-113) match both https:// + http://, so auto-embed still hand <img src="http://..."> to DOM. CSP block + browser mixed-content block both stop fetch — no broken render, no XSS surface. But still emit dead <img> element.
Cleanup: in extract_urls or is_image_url, reject http:// scheme for image auto-embed. Keep http:// link rendering (text link + new tab) — only image auto-embed need https-only.
File:
crates/web/src/components/message.rs:37-41 (is_image_url)crates/web/src/components/message.rs:112-136 (extract_urls + image branch)
Out of scope this run: file locked under PR #566. Pick up after merge.
Refs #584
CSP
img-srcaddhttps:only, nohttp:, per #584 fix39a9f1d. Reason:http:image fetch on https page = mixed-content downgrade.But
extract_urls(crates/web/src/components/message.rs:112-113) match bothhttps://+http://, so auto-embed still hand<img src="http://...">to DOM. CSP block + browser mixed-content block both stop fetch — no broken render, no XSS surface. But still emit dead<img>element.Cleanup: in
extract_urlsoris_image_url, rejecthttp://scheme for image auto-embed. Keephttp://link rendering (text link + new tab) — only image auto-embed need https-only.File:
crates/web/src/components/message.rs:37-41(is_image_url)crates/web/src/components/message.rs:112-136(extract_urls+ image branch)Out of scope this run: file locked under PR #566. Pick up after merge.
Refs #584