Skip to content

fix: remove data:text/html from graphicUrl() allowed MIME types (closes #70)#71

Open
LucasMaupin wants to merge 1 commit into
mainfrom
fix/issue-70-remove-text-html-from-allowed-data-mime
Open

fix: remove data:text/html from graphicUrl() allowed MIME types (closes #70)#71
LucasMaupin wants to merge 1 commit into
mainfrom
fix/issue-70-remove-text-html-from-allowed-data-mime

Conversation

@LucasMaupin

Copy link
Copy Markdown
Collaborator

Summary

  • Removed text/html from ALLOWED_DATA_MIME in src/lib/url-validation.ts, restricting data URI support to image-only MIME types (png, jpeg, gif, webp)
  • Updated the JSDoc comment and error message to reflect that HTML overlay sources must use an https:// URL rather than an inline data URI
  • Added src/__tests__/url-validation.test.ts with 18 test cases covering all accept/reject paths, including a direct regression test for data:text/html

Why

data:text/html URIs were explicitly permitted, allowing an authenticated user to supply a graphic overlay URL containing JavaScript that executes inside Strom's CEF (Chromium Embedded Framework) renderer. Because CEF runs with network access on the Strom host, this enabled SSRF and potential credential exfiltration — a meaningful escalation beyond a simple content injection. Restricting data URIs to image types eliminates script execution risk entirely.

HTML overlay sources that previously used inline data:text/html must be migrated to an https:// URL served from a trusted web server.

Closes #70

#70)

data:text/html URIs were explicitly permitted by ALLOWED_DATA_MIME, allowing
authenticated users to execute arbitrary JavaScript inside Strom's CEF renderer
via a graphic overlay URL. Restrict data URI support to image-only MIME types
where there is no script execution risk. HTML overlay sources must use an
https:// URL pointing to a trusted server.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[SECURITY][HIGH] data:text/html explicitly permitted in graphicUrl() — arbitrary JavaScript execution in Strom's headless Chromium (cefsrc)

1 participant