Make CSP header configurable, and disable images in markdown (#964)

2026-02-04 02:51:17 +01:00 · 2025-06-06 13:41:20 +02:00
parent 96ee6978ac
commit 6666e8eba2
4 changed files with 12 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -108,6 +108,7 @@ There are two ways to authenticate a user in Stash-box: a session or an API key.
 | `postgres.conn_max_lifetime` | (0) | Maximum lifetime in minutes before a connection is released. |
 | `require_scene_draft` | false | Whether to allow scene creation outside of draft submissions. |
 | `require_tag_role` | false | Whether to require the EditTag role to edit tags. |
+| `csp` | (none) | Contents of the `Content-Security-Policy` header |

 ## SSL (HTTPS)

--- a/frontend/src/utils/markdown.tsx
+++ b/frontend/src/utils/markdown.tsx
@@ -19,6 +19,7 @@ export const Markdown: FC<Props> = ({ text, unique }) =>
      remarkRehypeOptions={{
        clobberPrefix: unique ? `${unique}-` : undefined,
      }}
+      disallowedElements={["img"]}
      components={{
        input: (props) => (
          <input
--- a/pkg/api/routes_root.go
+++ b/pkg/api/routes_root.go
@@ -2,7 +2,6 @@ package api

 import (
 	"embed"
-	"fmt"
 	"html/template"
 	"io/fs"
 	"net/http"
@@ -49,9 +48,10 @@ func (rr rootRoutes) assets(w http.ResponseWriter, r *http.Request) {
 }

 func (rr rootRoutes) app(w http.ResponseWriter, r *http.Request) {
-	// Hash of an empty string, which is the contents of the Emotion CSS style element used by react-select
-	emotionHash := "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="
-	w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self'; style-src 'self' '%s'", emotionHash))
+	csp := config.GetCSP()
+	if csp != "" {
+		w.Header().Add("Content-Security-Policy", csp)
+	}
 	w.Header().Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 	w.Header().Add("X-Frame-Options", "SAMEORIGIN")
 	w.Header().Add("X-Content-Type-Options", "nosniff")
--- a/pkg/manager/config/config.go
+++ b/pkg/manager/config/config.go
@@ -119,6 +119,8 @@ type config struct {
 	Title string `mapstructure:"title"`

 	DraftTimeLimit int `mapstructure:"draft_time_limit"`
+
+	CSP string `mapstructure:"csp"`
 }

 var JWTSignKey = "jwt_secret_key"
@@ -463,3 +465,7 @@ func GetMaxIdleConns() int {
 func GetConnMaxLifetime() int {
 	return C.Postgres.MaxIdleConns
 }
+
+func GetCSP() string {
+	return C.CSP
+}