Using WebP with Content Security Policy (CSP) requires data: source, which is insecure?

[George]

Hi,

I am building an image-heavy website, and want to use WebP images (for all of the advantages of smaller files, faster downloads, and less bandwidth usage).

But I also want to use the current standards of Content Security Policy.

Here is the problem: If you create a website with a CSP, you must define: Content-Security-Policy "img-src data:" in order for WebP images to load. But everything I read says that allowing data: in CSP is not secure, and defeats the purpose of having CSP?

Is there a relatively simple way to use WebP images with CSP that doesn't require a PhD in computer engineering to implement?

[Dan Randa]

I have the exact same question. Did you ever figure out a solution to this? I''m using Nginx on a Lemp server and was hoping for directives to specify specific image mime types or just the webP file format.

[James Zern]

The <picture> tag should work rather than using data:, no?

 

--
You received this message because you are subscribed to the Google Groups "WebP Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webp-discuss...@webmproject.org.
To view this discussion on the web visit https://groups.google.com/a/webmproject.org/d/msgid/webp-discuss/929a2850-cdc2-4bc5-8417-d32d8ab966d4n%40webmproject.org.