Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity

fix: allow inline style= attributes via CSP style-src-attr
Some checks failed
Build and Push Docker Image / build (push) Successful in 23s
Details
CI / Security audit (push) Successful in 45s
Details
CI / Tests & coverage (push) Failing after 46s
Details

Browse Source 
Timing bars in the status panel and any other dynamically-injected
style= attributes were being silently blocked by the Content Security
Policy. style-src only governs <style> blocks and linked stylesheets;
inline element attributes need style-src-attr separately.

Adding style-src-attr 'unsafe-inline' is the minimal fix — it only
affects attribute-level inline styles, not script execution.

Also removes the temporary debug console.log added in the previous commit.
This commit is contained in:
Gronod
2026-05-17 08:53:07 +01:00
parent 35d50fad0a
commit cafa608e8c
2 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
public/app.js
View File

@@ -705,7 +705,6 @@ function renderStatusPanel(data, panel) {
<div class="status-card-title">Last Poll (${lp.totalMs}ms total, ${pollAge}s ago)</div>
<div class="status-timings">`;
const maxTaskMs = lp.tasks.reduce((max, t) => Math.max(max, t.ms), 1);
console.log('[Status] task timings:', JSON.stringify(lp.tasks), 'maxTaskMs:', maxTaskMs);
for (const t of lp.tasks) {
const barWidth = Math.max(2, (t.ms / maxTaskMs) * 100);
html += `