Hi!
I’m using the GLTFLoader to load to .gltf objects in a scene, but they are blocked by connect-src rules I have implemented. By adding ‘data:’ in the connect-src allowlist, the files are loaded correctly, but ‘data:’ is a risk for XSS which I wish to avoid at most costs, does anyone know of a way around this?
The ‘data:’ -source was not necessary prior to r134 so I assume it came from changing the FileLoader API from XMLHttpRequest() to fetch()(Migration Guide · mrdoob/three.js Wiki · GitHub).
" * data: Allows data: URLs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URLs. Use this sparingly and definitely not for scripts."
source: CSP source values - HTTP | MDN