Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity

fix: allow inline style= attributes via CSP style-src-attr
Some checks failed
Build and Push Docker Image / build (push) Successful in 23s
Details
CI / Security audit (push) Successful in 45s
Details
CI / Tests & coverage (push) Failing after 46s
Details

Browse Source 
Timing bars in the status panel and any other dynamically-injected
style= attributes were being silently blocked by the Content Security
Policy. style-src only governs <style> blocks and linked stylesheets;
inline element attributes need style-src-attr separately.

Adding style-src-attr 'unsafe-inline' is the minimal fix — it only
affects attribute-level inline styles, not script execution.

Also removes the temporary debug console.log added in the previous commit.
This commit is contained in:
Gronod
2026-05-17 08:53:07 +01:00
parent 35d50fad0a
commit cafa608e8c
2 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
server/app.js
View File

@@ -42,6 +42,7 @@ function createApp({ skipRateLimits = false } = {}) {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
styleSrcAttr: ["'unsafe-inline'"],
imgSrc: ["'self'", 'data:', 'blob:'],
fontSrc: ["'self'", 'data:'],
connectSrc: ["'self'"],