Icons pulling from outside local HASS domain

[phormix]

Checklist

• I have updated to the latest available Home Assistant version.
• I have cleared the cache of my browser.
• I have tried a different browser to see if it is related to my browser.

Describe the issue you are experiencing

In a recent update, icons in HASS integrations have started pulling from the external site at "brands.home-assistant.io".
This causes broken links where
a) The browser is accessing a local HASS instance and does not have internet access (i.e. a segregated network)
b) In browser security tools/settings block Javascript imagine loading across domains (i.e. with noScript)

Examples of icon locations:
https://brands.home-assistant.io/radio_browser/icon.png
https://brands.home-assistant.io/tasmota/icon.png

Describe the behavior you expected

Icons of applications installed (and preferable in the store) in HASS should be available via the local instance without the connecting browser needing internet access, as this otherwise breaks security and unnecessarily exposes the browser and requires internet access

Steps to reproduce the issue

1. login to Hass via a fresh browser w/o internet access
2. Access settings screen
3. access "Devices and Services"
4. Icons will fail to load
   ...

What version of Home Assistant Core has the issue?

2023.11.1

What was the last working version of Home Assistant Core?

No response

In which browser are you experiencing the issue with?

Firefox 119.0

Which operating system are you using to run this browser?

Linux Mint

State of relevant entities

No response

Problem-relevant frontend configuration

No response

Javascript errors shown in your browser console/inspector

No response

Additional information

This has not been reported as a security vulnerability as it does not at this time expose any particular flaw within HASS itself, but rather requires an less-secure network configuration in order to function properly

[Gunni]

I have been trying to do this for a bit now.

I want to serve the brands images locally, i have downloaded the brands repo, and then I built it with:

Edit: does not work as-is.

cd /var/www
git clone https://github.com/home-assistant/brands home-assistant-brands
cd home-assistant-brands
podman run \
        --net host \
        --rm \
        -it \
        -v $(pwd):/work:Z \
        -w /work \
        ubuntu:latest \
        /bin/bash -c 'apt update && apt install -y eatmydata && eatmydata apt install --no-install-recommends -y ca-certificates librsvg2-bin git rsync jq && ./scripts/build.sh'

I configured my caddy webserver with:

ha.example.com {
	# generic stuff like ip locking and such
	import always_private

	header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://basemaps.cartocdn.com https://github.com https://raw.githubusercontent.com https://www.zigbee2mqtt.io https://slsys.github.io; font-src 'self' data:; connect-src 'self' https://catalogue.nodered.org; worker-src 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'"

	# Requires caddy plugin https://github.com/caddyserver/replace-response
	replace re "https:\/\/[${a-z\.()\"\?\:}]+\.home-assistant.io" "/brands"

	handle_path /brands* {
		root * /var/www/home-assistant-brands/build
		try_files {path} {path}/
		file_server
	}

	handle {
		reverse_proxy * http://[2001:db8::1]:8123 {
			# needed for replace-response
			header_up Accept-Encoding identity
		}
	}
}

This works excellent, right until the service worker loads, refreshes the page using its logic and starts borking things up...

If i block the service worker, by adding worker-src 'none'; to the csp, then everything works, except now I don't have the service worker, which I assume breaks some things.

Edit: Just noticed that blocking worker-src blocks sort-filter-worker.*.js which are used to display entity lists.

Edit 2: p.s. I do consider this a security problem in the way that it leaks requests to an external service (which can then track your users), I have mentioned it in #15440. They also use https://basemaps.cartocdn.com, while a bit more reasonable is still annoying.

[github-actions]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.
Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍
This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

[Gunni]

AFAIK this is still an issue.

[nima-1102]

+1

I am surprised that the icons have not always been loaded locally. Experiencing an ongoing Internet outage makes you realize just how much we rely on the Internet for everything.

[Gunni]

I just started trying to make an addon that either implements a cache, or a fetcher of the entire brands repo.

Total noob at addon dev and with a full time job so...

TODO: Figure out if I can make the url for brands replaceable.

Edit: baby arrived early... Oh well.

[phormix]

Yeah. My feeling is that the icons should load remotely when pulling the global list to install a new app, and then there should be a dedicated icons directory etc for installed apps to pull their icons from.

[martin3000]

For me this is a privacy issue! I don't want that my home assistant activity, integrations list and IP address is sent to the HA servers all the time I work with HA. This is a nogo!

[nima-1102]

@balloob Shouldn't it be by default that it is possible to load everything completely locally without cloud?

[GolDNenex]

Also interested with the possibility to change "https://brands.home-assistant.io" with a custom one. Its not everyone cup of tea but if i selfhost its not for my services to pull external resources.

Lots of reasons for that but in this case it because my 2nd instance don't have internet access at all and each time i go in the devices configuration its slow as hell.

I just finished a proxy that mimic the original website. If a images is not already in the cache, its pulled from the og website and added to the cache. The cache is saved periodically and loaded when starting so you also can copy/paste the cache file to a offshore instance for example. This also dramatically reduce the req/resp time.

Didn't think about this being a problem tho. Hope something can be done. Will look how to build the frontend but this seem complicated to deploy/maintain.

If this become possible, i will release my proxy. But for now, no one can really using it, even me.

[martin3000]

i have downloaded the brands repo

How big is it?

[Gunni]

How big is it?

• Plain git checkout: 900 MB
• Building it using the script below increases it to: 4.6 GB
  • Just build directory (what's served to users): 3.7 GB
• Build takes 6 minutes on my vm

p.s. updated build command (added optipng)

podman run \
        --net host \
        --rm \
        -it \
        -v $(pwd):/work:Z \
        -w /work \
        ubuntu:latest \
        /bin/bash -c 'apt update && apt install -y eatmydata && eatmydata apt install --no-install-recommends -y ca-certificates librsvg2-bin git rsync jq optipng && ./scripts/build.sh'