Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity

fix: proxy cover art through server to satisfy CSP img-src 'self'
All checks were successful
Build and Push Docker Image / build (push) Successful in 19s
Details
CI / Security audit (push) Successful in 28s
Details

Browse Source 
The new CSP blocks direct browser requests to external image origins
(themoviedb.org, thetvdb.com, etc.) used for poster art.

- dashboard.js: add GET /api/dashboard/cover-art?url=... proxy endpoint
  (auth-required, http/https only, image content-type validated, 5MB cap,
  24h Cache-Control, streams response directly to client)
- app.js: route coverArt src through /api/dashboard/cover-art proxy
- server/utils/logger.js: fix hardcoded /app/server.log path (use DATA_DIR)
This commit is contained in:
Gronod
2026-05-17 07:24:15 +01:00
parent 251c7376c9
commit cc1e8af761
2 changed files with 42 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
public/app.js
View File

@@ -387,7 +387,11 @@ function createDownloadCard(download) {
const coverDiv = document.createElement('div');
coverDiv.className = 'download-cover';
const coverImg = document.createElement('img');
coverImg.src = download.coverArt;
// Proxy cover art through the server so the CSP img-src 'self' rule
// is satisfied (external poster URLs would be blocked otherwise).
coverImg.src = download.coverArt
? '/api/dashboard/cover-art?url=' + encodeURIComponent(download.coverArt)
: '';
coverImg.alt = download.movieName || download.seriesName || download.title;
coverImg.loading = 'lazy';
coverDiv.appendChild(coverImg);