Page MenuHomeMiraheze

Whitelist imgbox.com and googleusercontent.com so images can be shown
Closed, ResolvedPublic

Description

Please whitelist imgbox.com and googleusercontent.com
Images can't be showed even if "Allow External Images" is checked in the wiki configuration. It is because of your CSP which sites not on your whitelist will still be denied access.

imgbox.com is just an image hosting site which we use a lot.
googleusercontent.com is used by Google Photos to host user-uploaded images.
Thank you.

Event Timeline

Revival triaged this task as Normal priority.May 18 2020, 08:55
Revival created this task.
Reception123 closed this task as Resolved.May 18 2020, 15:22
Reception123 claimed this task.
Revival reopened this task as Open.Jun 3 2020, 10:49

The whitelist does not work properly because the link may contain subdomains, for example:
https://imgbox.com/images/imgbox_large.png <-- can display
https://images2.imgbox.com/00/00/9E2qE9Nw_o.jpg <-- CANNOT
https://lh6.googleusercontent.com/-Du5sjWWmXcU/TplK6DYjlnI/AAAAAAABHbY/5Di2rH_nEtY/w800-h400-c/P1050401_stitch.jpg <-- CANNOT

You need to add the following whitelist entries too:
'*.googleusercontent.com'
'*.imgbox.com'

Reception123 removed Reception123 as the assignee of this task.Jun 6 2020, 12:01

No issues with those URLs.

Revival added a comment.Jun 11 2020, 09:05

No issues with those URLs.

Those images couldn't be shown in the wiki since it does not match the whitelist.
The whitelist only whitelists imgbox.com, but not *.imgbox.com
and whitelists googleusercontent.com, but not *.googleusercontent.com

AmandaCath claimed this task.Jun 11 2020, 13:15
AmandaCath added a subscriber: AmandaCath.

Since Southparkfan has approved these changes, I will submit the pull request to implement them.

AmandaCath edited projects, added Puppet; removed Configuration.
Revival added a comment.EditedJun 21 2020, 11:41

Please kindly add the following to the whitelist too:
'*.googleusercontent.com'
'*.imgbox.com'

Currently the whitelist only whitelist the main domain, but NOT the subdomains!
Those images couldn't display because the links contain subdomains, for example:
https://imgbox.com/images/imgbox_large.png <-- can display
https://images2.imgbox.com/00/00/9E2qE9Nw_o.jpg <-- CANNOT
https://lh6.googleusercontent.com/-Du5sjWWmXcU/TplK6DYjlnI/AAAAAAABHbY/5Di2rH_nEtY/w800-h400-c/P1050401_stitch.jpg <-- CANNOT

Thank you.

Reception123 added a subscriber: RhinosF1.

@Revival I'm sorry about how long it's taking, but currently our system doesn't allow those kind of whitelists, so we need to look into an alternative (@Paladox ?)

AmandaCath removed AmandaCath as the assignee of this task.Jun 24 2020, 00:43
Revival added a comment.Jun 25 2020, 08:12

@Revival I'm sorry about how long it's taking, but currently our system doesn't allow those kind of whitelists, so we need to look into an alternative (@Paladox ?)

Sorry I don't get it. What're the technical issues? There are other sites which both the main domains and their subdomains are whitelisted, and they work perfectly fine.

Nevertheless, it's weird only the main domains are whitelisted for those two sites, but not their sub-domains. What's the point for that?

Reception123 added a subscriber: Zppix.

From other task adding:

'postimages.org'
'*.postimages.org'
'postimgs.org'
'*.postimgs.org'
'postimg.cc'
'*.postimg.cc'
'imgbb.com'
'*.imgbb.com'
'simgbb.com'
'*.simgbb.com'
'ibb.co'
'*.ibb.co'

Wildcard only supports for example *.x.x or *.x.x.x, the wild card does not allow for *.x.x to become x.x.x.x.

Revival added a comment.Jul 7 2020, 06:16

Wildcard only supports for example *.x.x or *.x.x.x, the wild card does not allow for *.x.x to become x.x.x.x.

The above sites do not have x.x.x.x as far as I can see.
It is enough to whitelist *.x.x and x.x.

Gwillig added a subscriber: Gwillig.Jul 27 2020, 09:32

Hello,
so my question is how can we now dispaly " like:

<img src="https://lh6.googleusercontent.com/-Du5sjWWmXcU/TplK6DYjlnI/AAAAAAABHbY/5Di2rH_nEtY/w800-h400-c/P1050401_stitch.jpg">

Is still get the error :

Refused to load the image 'https://lh6.googleusercontent.com/-Du5sjWWmXcU/TplK6DYjlnI/AAAAAAABHbY/5Di2rH_nEtY/w800-h400-c/P1050401_stitch.jpg' because it violates the following Content Security Policy directive:

lh3.googleusercontent.com is now whitelisted.

Revival added a comment.EditedTue, Sep 22, 07:06

lh3.googleusercontent.com is now whitelisted.

Unfortunately it is not. Images from lh3.googleusercontent.com are still blocked.
BTW there are other subdomains like lh6, lh5, lh4. It does not make sense to only whitelist lh3.

Revival added a comment.Tue, Sep 22, 07:22

Sorry to interrupt, currently the following domains are whitelisted:
url52: 'googleusercontent.com'
url53: 'imgbox.com'

This only whitelists the main domain, but not their subdomains.
Their images are hosted in their subdomains!

It is not the first time you whitelist all subdomains of a particular website. For example,
url16: '*.google.com'
url17: '*.gstatic.com'
url18: '*.addthis.com'
url19: '*.youtube.com'
url29: '*.googleapis.com'
url30: '*.twimg.com'
url33: '*.freenode.net'
url34: '*.sorcery.net'

I don't get it why only the main domains are whitelisted, but not their subdomains in this case.
Those whitelists do not make any sense and are essentially useless.

imgbox.com is a popular site which hosts images only. It is a perfectly safe website.
googleusercontent.com is owned by Google and user-uploaded images are hosted there. It is a perfectly safe website too.
To solve the issue, you simply need to add two lines to the whitelist, which are:
'*.imgbox.com'
'*.googleusercontent.com'

We have been waiting for months and this issue is still unresolved. This baffles us a lot. Many images are still broken.
Please kindly help us by adding two lines to the whitelist. Thank you very much.

Zppix added a comment.Wed, Sep 23, 14:38

Done should take effect in approx. 10 minutes

Zppix closed this task as Resolved.Thu, Sep 24, 16:13
Zppix claimed this task.

Seems to be resolved now. If not feel free to reopen.