From ed22209e6cf36c71d26e8b864d232cda99ffe0c8 Mon Sep 17 00:00:00 2001 From: Petipopotam <43313692+Petipopotam@users.noreply.github.com> Date: Thu, 19 Jan 2023 19:56:27 +0100 Subject: [PATCH 1/2] Content Security Policy syntax was invalid According to https://csp-evaluator.withgoogle.com/ the CSP built here is NOT valid (and the blob: value is missing at img-src, so the image is not displayed when reading ebook in a browser) Before this commit, in Chrome response header you can find Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data:; object-src: 'none'; blob:;style-src-elem 'self' blob: 'unsafe-inline'; After : Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' blob: data:; object-src 'none' blob:; style-src-elem 'self' blob: 'unsafe-inline'; and image in viewer are displayed --- cps/web.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cps/web.py b/cps/web.py index 196fe367..8eb46749 100755 --- a/cps/web.py +++ b/cps/web.py @@ -82,16 +82,16 @@ except ImportError: def add_security_headers(resp): csp = "default-src 'self'" csp += ''.join([' ' + host for host in config.config_trustedhosts.strip().split(',')]) - csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' " + csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' blob:" if request.path.startswith("/author/") and config.config_use_goodreads: - csp += "images.gr-assets.com i.gr-assets.com s.gr-assets.com" + csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com" csp += " data:;" - csp += " object-src: 'none';" + csp += " object-src 'none'" resp.headers['Content-Security-Policy'] = csp if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive: resp.headers['Content-Security-Policy'] += " *" elif request.endpoint == "web.read_book": - resp.headers['Content-Security-Policy'] += " blob:;style-src-elem 'self' blob: 'unsafe-inline';" + resp.headers['Content-Security-Policy'] += " blob:; style-src-elem 'self' blob: 'unsafe-inline';" resp.headers['X-Content-Type-Options'] = 'nosniff' resp.headers['X-Frame-Options'] = 'SAMEORIGIN' resp.headers['X-XSS-Protection'] = '1; mode=block' From beb619c2c20ed51c6f6d91a27414790c14b4a486 Mon Sep 17 00:00:00 2001 From: Petipopotam <43313692+Petipopotam@users.noreply.github.com> Date: Thu, 19 Jan 2023 20:19:55 +0100 Subject: [PATCH 2/2] Correct CSP no need blob: value for object-src --- cps/web.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cps/web.py b/cps/web.py index 8eb46749..ab28b7a3 100755 --- a/cps/web.py +++ b/cps/web.py @@ -82,16 +82,16 @@ except ImportError: def add_security_headers(resp): csp = "default-src 'self'" csp += ''.join([' ' + host for host in config.config_trustedhosts.strip().split(',')]) - csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' blob:" + csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self'" if request.path.startswith("/author/") and config.config_use_goodreads: csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com" - csp += " data:;" - csp += " object-src 'none'" + csp += " blob: data:;" + csp += " object-src 'none';" resp.headers['Content-Security-Policy'] = csp if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive: resp.headers['Content-Security-Policy'] += " *" elif request.endpoint == "web.read_book": - resp.headers['Content-Security-Policy'] += " blob:; style-src-elem 'self' blob: 'unsafe-inline';" + resp.headers['Content-Security-Policy'] += " style-src-elem 'self' blob: 'unsafe-inline';" resp.headers['X-Content-Type-Options'] = 'nosniff' resp.headers['X-Frame-Options'] = 'SAMEORIGIN' resp.headers['X-XSS-Protection'] = '1; mode=block'