How do I get railway to accept blob URLs when deploying a static site?
newideas99
PROOP

9 months ago

Railway CSP blocks blob

Problem

• Drag/drop creates blob: image URLs; Railway’s default CSP blocks them.

Error: Refused to load the image 'blob:...' due to "img-src 'self' data: https: *".

Current Solution (Security Risk):

Use a custom Caddyfile so Railway serves a CSP that allows blob::

:{$PORT} {

root * /app

file_server

header {

Content-Security-Policy "default-src 'self'; img-src 'self' data: https: blob: *; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' data: https:; connect-src 'self' https: wss: ws:; frame-src 'self' https:; media-src 'self' https: blob:; object-src 'none'; base-uri 'self'; form-action 'self';"

X-Content-Type-Options "nosniff"

X-Frame-Options "SAMEORIGIN"

Referrer-Policy "strict-origin-when-cross-origin"

}

encode gzip

try_files {path} /index.html

}

Place the Caddyfile where Railway picks it up and deploy; check logs for “Using custom Caddyfile”.

Security caveat (important)

If you store the Caddyfile under public/static assets, it is web-accessible (e.g., /Caddyfile). That’s a security risk.

$10 Bounty

1 Replies

9 months ago

If you're trying to use a custom Caddyfile for your static site then try placing the Caddyfile in the root of your static site, otherwise Railway won't use it


Welcome!

Sign in to your Railway account to join the conversation.

Loading...