Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity

fix: allow inline style= attributes via CSP style-src-attr
Some checks failed
Build and Push Docker Image / build (push) Successful in 23s
Details
CI / Security audit (push) Successful in 45s
Details
CI / Tests & coverage (push) Failing after 46s
Details

Browse Source 
Timing bars in the status panel and any other dynamically-injected
style= attributes were being silently blocked by the Content Security
Policy. style-src only governs <style> blocks and linked stylesheets;
inline element attributes need style-src-attr separately.

Adding style-src-attr 'unsafe-inline' is the minimal fix — it only
affects attribute-level inline styles, not script execution.

Also removes the temporary debug console.log added in the previous commit.
This commit is contained in:
Gronod
2026-05-17 08:53:07 +01:00
parent 35d50fad0a
commit cafa608e8c
2 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
public/app.js
View File

@@ -705,7 +705,6 @@ function renderStatusPanel(data, panel) {
<div class="status-card-title">Last Poll (${lp.totalMs}ms total, ${pollAge}s ago)</div> <div class="status-card-title">Last Poll (${lp.totalMs}ms total, ${pollAge}s ago)</div>
<div class="status-timings">`; <div class="status-timings">`;
const maxTaskMs = lp.tasks.reduce((max, t) => Math.max(max, t.ms), 1); const maxTaskMs = lp.tasks.reduce((max, t) => Math.max(max, t.ms), 1);
console.log('[Status] task timings:', JSON.stringify(lp.tasks), 'maxTaskMs:', maxTaskMs);
for (const t of lp.tasks) { for (const t of lp.tasks) {
const barWidth = Math.max(2, (t.ms / maxTaskMs) * 100); const barWidth = Math.max(2, (t.ms / maxTaskMs) * 100);
html += ` html += `

1
server/app.js
View File

@@ -42,6 +42,7 @@ function createApp({ skipRateLimits = false } = {}) {
defaultSrc: ["'self'"], defaultSrc: ["'self'"],
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`], scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`], styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
styleSrcAttr: ["'unsafe-inline'"],
imgSrc: ["'self'", 'data:', 'blob:'], imgSrc: ["'self'", 'data:', 'blob:'],
fontSrc: ["'self'", 'data:'], fontSrc: ["'self'", 'data:'],
connectSrc: ["'self'"], connectSrc: ["'self'"],