NunoSempere/calibre-web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add object-src to the CSP policy

Browse Source
This commit is contained in:
Julien Voisin 2022-12-22 12:47:37 +01:00 committed by GitHub
parent 3d59a78c9f
commit 2ddbaa2150
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cps/web.py
View File

@ -85,7 +85,8 @@ def add_security_headers(resp):
csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' "
if request.path.startswith("/author/") and config.config_use_goodreads:
csp += "images.gr-assets.com i.gr-assets.com s.gr-assets.com"
csp += " data:"
csp += " data:;"
csp += " object-src: 'none';"
resp.headers['Content-Security-Policy'] = csp
if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive:
resp.headers['Content-Security-Policy'] += " *"