Skip to content

csp/blank.html: prevent favicon violation#1685

Draft
alxndrsn wants to merge 2 commits intogetodk:nextfrom
alxndrsn:blank-html-allow-favicon
Draft

csp/blank.html: prevent favicon violation#1685
alxndrsn wants to merge 2 commits intogetodk:nextfrom
alxndrsn:blank-html-allow-favicon

Conversation

@alxndrsn
Copy link
Contributor

@alxndrsn alxndrsn commented Mar 13, 2026
edited
Loading

  • allow favicon
  • rename policy, as it is no longer "disallowing all"

Resolves:

Firefox:

In FaviconLoader.sys.mjs:224:20:

Content-Security-Policy: (Report-Only policy) The page’s settings would block the loading of a resource (img-src) at https://dev.getodk.cloud/favicon.ico because it violates the following directive: “img-src https://translate.google.com”

Chrome:

In blank.html:

Loading the image 'https://dev.getodk.cloud/favicon.ico' violates the following Content Security Policy directive: "img-src https://translate.google.com". The policy is report-only, so the violation has been logged but no further action has been taken.

What has been done to verify that this works as intended?

  • updated tests

Why is this the best possible solution? Were any other approaches considered?

Could just ignore this - seems to currently be filtered on the Sentry side.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

No effect.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

  • branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
  • verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

alxndrsn added 2 commits March 13, 2026 06:04
csp/blank.html: prevent favicon violation
5ef60af 
* allow favicon
* rename policy, as it is no longer "disallowing all"

Resolves:

Firefox:

In `FaviconLoader.sys.mjs:224:20`:

```
Content-Security-Policy: (Report-Only policy) The page’s settings would block the loading of a resource (img-src) at https://dev.getodk.cloud/favicon.ico because it violates the following directive: “img-src https://translate.google.com”
```

Chrome:

In `blank.html`:

Loading the image 'https://dev.getodk.cloud/favicon.ico' violates the following Content Security Policy directive: "img-src https://translate.google.com". The policy is report-only, so the violation has been logged but no further action has been taken.
pass tests
bcfd1ad
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alxndrsn