osTicket v1.17.5 - Plugin "attachment preview" problem

ValerioP

Inline preview plugin stopped working with 1.17.5.
A grey/blank image is displayed.
Browser developer tools helped me points in the right direction:
Content-Security-Policy: The page’s settings blocked the loading of a resource at blob:https://www......a8b9-0ccc38989a6a (“object-src”).

Investigating latest commits I found commit #6228f64
"This adds a few more CSP Headers (script-src, object-src) to better
secure the helpdesk."

Temporary workaround for me weaking CSP a little from this:
header("Content-Security-Policy: frame-ancestors ".$cfg->getAllowIframes()."; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'");
to this:
header("Content-Security-Policy: frame-ancestors ".$cfg->getAllowIframes()."; script-src 'self' 'unsafe-inline' 'unsafe-eval';");
Before that I tried with " object-src 'self' " and "object-src 'self' https://ww.mysite.com" but both fail.

I am wondering wether i am the only one having this problem and if that commit could break other plugins' XHR method.

KevinTheJedi

ValerioP

It doesn't affect any of the core plugins so that's all that matters. If any 3rd party plugins have issues you need to contact the creator directly for further assistance.

Cheers.