Is it Safe to Update Content Security Policy to Allow Blob URLs for iframes?
I am currently implementing a feature that allows users to upload documents (mainly pdfs) and view them in the browser without storing them on a server. The application generates a blob URL from the uploaded document, which is then passed into the src
attribute of an iframe. This works fine locally; however, I am encountering the following errors in upper environments from the browser:
"Not allowed to load local resource: blob:"
"Refused to frame 'blob:/<file_id>' because it violates the following Content Security Policy directive: 'default-src *.'. Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback."
To resolve this issue, it has been suggested to update the Content Security Policy (CSP) in the <meta>
tag to allow blob: URLs. The modified CSP would look like this:
<meta http-equiv="Content-Security-Policy" content="frame-src 'self' blob:;">
Are there any potential vulnerabilities or risks associated with allowing blob URLs in the CSP compared to the alternative of storing and fetching the document from the server?