Images in description area of imageshare blocked by CSP if not HTTPS

[chickmetalhead]

Hi,

 

I noticed today that images in my image sets are not being displayed (in any browser I tried) if the image source addresses are not encrypted using https. In the browser logs, it shows the images are being blocked by csp or Content Security Policy. I always use http source addresses because the images do NOT need to be encrypted, and it really slows down getting all the images loaded. Haha, especially in my sets that often contain a lot of images! :blush: :laugh:

 

The following question is directed mainly to nexus administrators:

 

Has Nexus made a change to the content security requirements they require for the web pages that nexusmods serves back to users? Especially for when the imageshare page is passed back to the requesting user? Here is what I see in the network response headers that Nexus returns to my browser:

 

content-security-policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data: blob:; object-src 'none'; media-src 'self' https: data: blob:; worker-src 'self' blob:; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; style-src 'self' https: 'unsafe-inline';

 

I don't know enough (yet) about how this CSP stuff works to know if those settings are what might be causing the problem with http image sources.

 

So again before I go down the rabbit hole trying to research this, has nexusmods made any changes lately that might be causing the problem? Probably since the start of 2022?? This was never a problem in the past, but I haven't done any image sets yet this year so I am not sure when the change might have happened. And just to be clear, I changed one of my imageshare sets to uses https encrypted source addresses for the images in the description area, and the images show up fine... but it takes forever to get them all loaded.

 

Edit: After a bit more research, it appears that the following part of the CSP header is the problem:

 

img-src 'self' https: data: blob:;

 

That indicates that images can be loaded from "self" (Nexus) or only over https: (Encrypted) or data: (data scheme (eg Base64 encoded images)) or blob: (whatever that is). So there appears to have been a change at Nexusmods or by one of the service providers to nexusmods. I am still curious if this was intentional, and when it changed. If it was intentional and the way nexusmods wants to do things... I will decide if it is worth the time to go back and change my old imagesets to use https sourced images... but I don't think I will bother doing that. Sigh.

 

cmh

Edited March 17, 2022 by chickmetalhead

[Pickysaurus]

It's an intentional security update. If we allow you to include content from a unsecured web server (i.e. HTTP rather than HTTPS), it basically negates the point of our own site being HTTPS.

 

I'm afraid you'll simply need to update the images.

[chickmetalhead]

Hi Picky!

 

First, thanks so much for the fast reply :thumbsup: I thought you folks might be done for the day!

 

While I might not agree with you about images needing to be https encrypted (other things certainly should be), as always it is your site so you get to make the call. :smile:

 

But at least I know it was an intentional change - and more importantly - that I was not going crazy like I thought I was earlier today. Haha, well, not going more crazy, anyway! :laugh: I will probably update my last few sets to use https source images, and will make sure I use them in the future.

 

Thanks again for the fast reply, and stay safe over there!

 

cmh

 

Edit: PS: I found a somewhat quick way of fixing up some of my old sets using Notepad++, so I might fix them all up in time. For now, I updated my last few image sets, and then I had to go back and update my epic 5-part adventure set I made a few years ago. If anybody is really bored and has a lot of time to kill, here is the the link to Part 1: A New Adventure - Part 1 - Elegance On Sunday

Edited March 17, 2022 by chickmetalhead