CSP invalid to display image when web.read_book

CSP 
Before : default-src 'self'  'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data:; style-src-elem 'self' blob: 'unsafe-inline'; object-src 'none';
After :    default-src 'self'  'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data: blob:; style-src-elem 'self' blob: 'unsafe-inline';object-src 'none';
This commit is contained in:
Petipopotam 2023-01-24 11:03:19 +01:00 committed by GitHub
parent 1ad8dc102a
commit d545ea9e6f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -85,11 +85,11 @@ def add_security_headers(resp):
csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self'" csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self'"
if request.path.startswith("/author/") and config.config_use_goodreads: if request.path.startswith("/author/") and config.config_use_goodreads:
csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com" csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com"
csp += " data:;" csp += " data:"
if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive: if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive:
csp += " *;" csp += " *;"
elif request.endpoint == "web.read_book": elif request.endpoint == "web.read_book":
csp += " style-src-elem 'self' blob: 'unsafe-inline';" csp += " blob:; style-src-elem 'self' blob: 'unsafe-inline';"
else: else:
csp += ";" csp += ";"
csp += " object-src 'none';" csp += " object-src 'none';"