[Content Security Policy] Restrict `blob:` in `connect-src`
compulim opened this issue · 0 comments
compulim commented
Feature Request
Today, we require this directive: connect-src blob:.
This is because botframework-directlinejs use blob URL to retrieve ArrayBuffer for uploading attachments. The code is at https://github.com/microsoft/BotFramework-DirectLineJS/blob/master/src/directLine.ts#L807.
To-do
To remove this directive, we need to modify botframework-directlinejs to use ArrayBuffer or Blob to upload attachments.
Also today, since we are using URL.createObjectURL, we don't have a reliable way to revoke the URL. Moving to ArrayBuffer or Blob will help.
[Enhancement]