From d545ea9e6fbc13a49765cf6bde0ed877c2e0bc0d Mon Sep 17 00:00:00 2001 From: Petipopotam <43313692+Petipopotam@users.noreply.github.com> Date: Tue, 24 Jan 2023 11:03:19 +0100 Subject: [PATCH] CSP invalid to display image when web.read_book CSP Before : default-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data:; style-src-elem 'self' blob: 'unsafe-inline'; object-src 'none'; After : default-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data: blob:; style-src-elem 'self' blob: 'unsafe-inline';object-src 'none'; --- cps/web.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cps/web.py b/cps/web.py index 3166fe6f..fa12db5a 100644 --- a/cps/web.py +++ b/cps/web.py @@ -85,11 +85,11 @@ def add_security_headers(resp): csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self'" if request.path.startswith("/author/") and config.config_use_goodreads: csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com" - csp += " data:;" + csp += " data:" if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive: csp += " *;" elif request.endpoint == "web.read_book": - csp += " style-src-elem 'self' blob: 'unsafe-inline';" + csp += " blob:; style-src-elem 'self' blob: 'unsafe-inline';" else: csp += ";" csp += " object-src 'none';"