If I understand the context properly of what you are referring to - there's no issue with ecency's image proxy itself. I was talking about restricting CSP to images.hive.blog so that all external content goes through (ideally) a single controlled proxy within one domain that serves UGC. Fewer allowed origins means smaller attack surface if something goes wrong on any of them.
You are viewing a single comment's thread from:
I see, thanks for clarifying. Security is crucial for us and we take it seriously. If you notice any potential issues (XSS or otherwise), please let us know so we can address them promptly.
Since there are currently only two known image proxy instances, we’ve added an option for users to choose their preferred proxy. This is available on both ecency.com and the Ecency mobile app.