NunoSempere/calibre-web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added blobs to csp for reader page (fix for #3005)

Browse Source
This commit is contained in:
Ozzie Isaacs 2024-02-25 19:32:04 +01:00
parent 80a2d07009
commit 0ebfba8d05
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cps/web.py
View File

@ -86,9 +86,13 @@ except ImportError:
@app.after_request
def add_security_headers(resp):
csp = "default-src 'self'"
csp += ''.join([' ' + host for host in config.config_trustedhosts.strip().split(',')])
csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self'"
default_src = ([host.strip() for host in config.config_trustedhosts.split(',') if host] +
["'self'", "'unsafe-inline'", "'unsafe-eval'"])
csp = "default-src " + ' '.join(default_src) + "; "
csp += "font-src 'self' data:"
if request.endpoint == "web.read_book":
csp += " blob:"
csp += "; img-src 'self'"
if request.path.startswith("/author/") and config.config_use_goodreads:
csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com"
csp += " data:"