Remove or allow customization of third-party spacergif #25059
Description
Issue Summary
Hi,
currently there are multiple embeds of https://img.spacergif.org, for example it is used as poster for videos. I haven't found a way to remove it or to customize it to point to a local image, which is especially important from the GDPR perspective. Users shouldn't be required to download assets hard-coded in the Ghost code, which would also be more difficult to remove as an administrator.
As a fix, I'd suggest either to host this asset locally or to allow customization rather than having it hard-coded.
Workaround:
Use a CSP policy to block external domains for images. I'd normally do it as a HTTP Response header, but as a quick fix it is enough to inject into the {{ghost_head}} of the article the following tag <meta http-equiv="Content-Security-Policy" content="img-src 'self'">.
Steps to Reproduce
- Embed a video.
- Notice the video poster pointing to https://img.spacergif.org
[...] poster="https://img.spacergif.org/v1/1920x1080/0a/spacer.png" [...]
Ghost Version
6.2.0
Node.js Version
Docker compose
How did you install Ghost?
Docker compose
Database type
MySQL 8
Browser & OS version
No response
Relevant log / error output
Code of Conduct
- I agree to be friendly and polite to people in this repository