Orion does not respect the img-src values in the content security policy

httpjames

Steps to reproduce:

Visit a website with a strict CSP, like Kagi. Kagi does not allow assets outside of self and a few whitelisted domains and JS data types to load as images.
Try to load an asset that is outside of this allowlist, such as an image from Github using my Kagi custom CSS theme.
Observe as Orion successfully loads the background from Github, even though the CSP should not allow Github remote assets to load.

Expected behavior:

While this was convenient to allow my remote asset to load as my Kagi background, it's a security issue. On Chromium, Orion mobile and Safari on both platforms, the image is blocked from loading.

Brave:

Safari:

Orion desktop should not allow this image to load, even in CSS, because it violates the CSP's allowlist as shown above from Google's CSP evaluator.

Orion, OS version; hardware type:

Version 0.99.125-beta (WebKit 616.1.22)
MacBook Pro (macOS Ventura 13.5.1 build 22G90)

AlexLindsay

I am seeing the same issue with script-src. (On my work project) Orion successfully loaded grecaptcha without the necessary URLs being added to our CSP, but was blocked on Chrome and Brave.

Version 0.99.126.3-beta (WebKit 618.1.2)
MacBook Pro (macOS Ventura 13.6)