Content Security Policy directive: "img-src 'self' data:"

[LorenAmelang]

0.44.4
170
16
2020-09-24T23:33:36+02:00

Log attached, showing issue and more...
trilium-2020-11-18.log

Exported note attached...
Gluteus Medius Isolation Exercises - Brace Access.zip

I've noticed Trilium sometimes doesn't show the images from saved whole pages. I'd concluded it couldn't handle .png images, because when I copy one and try to paste it into the note, I get the tiny broken image icon above the caption entry field. If I externally convert it to a .jpg, it pastes properly.

Then I discovered I could use Windows Snipping Tool -> (select) -> File -> Copy, and that version would paste properly. (Even though I now see it pastes a .png file!)

I just dug into this in the note "Gluteus Medius Isolation Exercises - Brace Access.zip"

In Trilium, if I expand the tree, I see all the images that should have been in the saved page, listed in pale type in the tree. In the note, they now have little broken image icons that open the pale image versions. When I first saved the note, those icons did not show! I manually copied and pasted the three images that show in bright type, and "glute-med-anatomy.png" still didn't show up in the note. The ones called just "image.png" are the only ones showing in the note.

So I just peeked into DevTools. There are 68 of these errors shown in Console:

:37840/#root/root/MEOxcpC1CAXa/Kj9FsOHBv8aq/DPI2edKQ39p5/D7QOgvcgphxh/K1Is8ijX7eXS/0Cb37ybQ8pQg-6tcg:1 Refused to load the image 'https://braceaccess.com/wp-content/uploads/2018/05/Monster-Walk-Using-Mini-Bands.png' because it violates the following Content Security Policy directive: "img-src 'self' data:".

Lots of .png files, but plenty of .jpg files as well. But all from http:// pages.

https://stackoverflow.com/questions/40360109/content-security-policy-img-src-self-data
Seems to be saying that policy is a problem, but that relaxing it is a security threat. Personally, I'd be glad to open up the security - I've already seen the page in my browser and decided to save it - Trilium is not like a browser showing random pages for the first time.

But I can't even find the policy in DevTools to try to hack it. Is there a way to fix this?

[LorenAmelang]

Just noticed 0.45.4 was available. It displays all of the child images of that note inline, where only two showed before. Definitely different! I'll be watching to see if it can capture more images without errors...

[zadam]

So, I think the problem you are experiencing is connected to the fact that Trilium always tries to keep images locally - when you e.g. copy & paste content from a web site, the content in clipboard does not contain the images, only links to them (http://) - trilium will then parse the content and try to download the images from internet and save them locally for even offline use.

This can sometimes fail (e.g. because of proxy blocking internet access).

But it's a question whether this CSP policy is suitable and we should probably allow also external images ...

[LorenAmelang]

In case you're curious... After updating to 45.4 last night, I tried another clip:

22:58:43.303 GET /api/clipper/handshake took 1ms
22:59:04.410 Saving image 8c6628d7-c633-4482-ac9f-acdca479eb56-shutterstock-1235114896.jpg?w=800&auto=format%2Ccompress&cs=srgb&q=70&fit=crop&crop=faces
...

It got two photos but not the one I really wanted. Browser copied that one and it pasted into the note properly:

23:04:21.947 Saving image 42d2bc7b-657c-464d-aac2-097788b841e1-best-resistance-bands-3.jpg
23:04:22.039 Download of https://imgix.bustle.com/uploads/image/2020/3/20/42d2bc7b-657c-464d-aac2-097788b841e1-best-resistance-bands-3.jpg?w=400&h=399&fit=crop&crop=faces&auto=format%2Ccompress&cs=srgb&q=70 succeeded and was saved as image note zllQUZ8CTbLP

No CSP errors in DevTools. Looks like maybe it auto-saved images linked from Shutterstock, but not those hosted with the page?

This can sometimes fail (e.g. because of proxy blocking internet access).

I'm not running any proxy that I know of. I do notice comments in the logs about slow response - I'm at the end of about 30 miles of radio link, four hops, so while most latency is in the 20 ms range, the occasional request takes much longer. Is that a problem for Trilium grabbing web images?

trilium-2020-11-19.log

[dosubot]

Hi, @LorenAmelang. I'm Dosu, and I'm helping the Trilium team manage their backlog. I'm marking this issue as stale.

Issue Summary:

• You reported an issue with Trilium not displaying images from saved web pages, especially .png files.
• The issue is linked to a restrictive Content Security Policy.
• Version 0.45.4 shows partial resolution, with more images displayed inline.
• Zadam explained that image download failures might be due to network issues or proxy blocks.
• You provided logs indicating some images are saved, while others fail, possibly due to network latency.

Next Steps:

• Please confirm if this issue is still relevant to the latest version of the Trilium repository by commenting here.
• If there is no further activity, the issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!