mirror of
https://github.com/janeczku/calibre-web
synced 2024-11-24 10:37:23 +00:00
Added blobs to csp for reader page (fix for #3005)
This commit is contained in:
parent
80a2d07009
commit
0ebfba8d05
10
cps/web.py
10
cps/web.py
@ -86,9 +86,13 @@ except ImportError:
|
||||
|
||||
@app.after_request
|
||||
def add_security_headers(resp):
|
||||
csp = "default-src 'self'"
|
||||
csp += ''.join([' ' + host for host in config.config_trustedhosts.strip().split(',')])
|
||||
csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self'"
|
||||
default_src = ([host.strip() for host in config.config_trustedhosts.split(',') if host] +
|
||||
["'self'", "'unsafe-inline'", "'unsafe-eval'"])
|
||||
csp = "default-src " + ' '.join(default_src) + "; "
|
||||
csp += "font-src 'self' data:"
|
||||
if request.endpoint == "web.read_book":
|
||||
csp += " blob:"
|
||||
csp += "; img-src 'self'"
|
||||
if request.path.startswith("/author/") and config.config_use_goodreads:
|
||||
csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com"
|
||||
csp += " data:"
|
||||
|
Loading…
Reference in New Issue
Block a user