1
0
mirror of https://github.com/janeczku/calibre-web synced 2024-11-28 12:30:00 +00:00

The recent changes to content security policy broke custom theming. I fixed it by adding a trusted hosts field to Server Configuration

This commit is contained in:
cbartondock 2021-10-22 15:35:10 -04:00
parent 95544ef885
commit c6bf62a6eb
4 changed files with 7 additions and 3 deletions

View File

@ -1199,7 +1199,7 @@ def _configuration_update_helper():
to_save = request.form.to_dict()
try:
reboot_required |= _config_int(to_save, "config_port")
reboot_required |= _config_string(to_save, "config_trustedhosts")
reboot_required |= _config_string(to_save, "config_keyfile")
if config.config_keyfile and not os.path.isfile(config.config_keyfile):
return _configuration_result(_('Keyfile Location is not Valid, Please Enter Correct Path'))

View File

@ -66,7 +66,7 @@ class _Settings(_Base):
config_external_port = Column(Integer, default=constants.DEFAULT_PORT)
config_certfile = Column(String)
config_keyfile = Column(String)
config_trustedhosts = Column(String,default='')
config_calibre_web_title = Column(String, default=u'Calibre-Web')
config_books_per_page = Column(Integer, default=60)
config_random_books = Column(Integer, default=4)

View File

@ -46,6 +46,10 @@
<option value="2" {% if config.config_updatechannel == 2 %}selected{% endif %}>{{_('Nightly')}}</option>
</select>
</div>
<div class="form-group">
<label for="config_trustedhosts">{{_('Trusted Hosts (Comma Separated)')}}</label>
<input type="text" class="form-control" id="config_trustedhosts" name="config_trustedhosts" value="{% if config.trustedhosts != None %}{{ config.config_trustedhosts }}{% endif %}" autocomplete="off">
</div>
</div>
</div>
</div>

View File

@ -82,7 +82,7 @@ except ImportError:
@app.after_request
def add_security_headers(resp):
resp.headers['Content-Security-Policy'] = "default-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data:"
resp.headers['Content-Security-Policy'] = "default-src 'self'" + ''.join([' '+host for host in config.config_trustedhosts.strip().split(',')]) + " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data:"
if request.endpoint == "editbook.edit_book" or config.config_use_google_drive:
resp.headers['Content-Security-Policy'] += " *"
resp.headers['X-Content-Type-Options'] = 'nosniff'