From 6666e8eba2a663c73f01551e28659b5af45747bf Mon Sep 17 00:00:00 2001
From: InfiniteStash <117855276+InfiniteStash@users.noreply.github.com>
Date: Fri, 6 Jun 2025 13:41:20 +0200
Subject: [PATCH] Make CSP header configurable, and disable images in markdown
 (#964)

---
 README.md                       | 1 +
 frontend/src/utils/markdown.tsx | 1 +
 pkg/api/routes_root.go          | 8 ++++----
 pkg/manager/config/config.go    | 6 ++++++
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index b5d0347..1045593 100644
--- a/README.md
+++ b/README.md
@@ -108,6 +108,7 @@ There are two ways to authenticate a user in Stash-box: a session or an API key.
 | `postgres.conn_max_lifetime` | (0) | Maximum lifetime in minutes before a connection is released. |
 | `require_scene_draft` | false | Whether to allow scene creation outside of draft submissions. |
 | `require_tag_role` | false | Whether to require the EditTag role to edit tags. |
+| `csp` | (none) | Contents of the `Content-Security-Policy` header |
 
 ## SSL (HTTPS)
 
diff --git a/frontend/src/utils/markdown.tsx b/frontend/src/utils/markdown.tsx
index 329aa65..5c8e969 100644
--- a/frontend/src/utils/markdown.tsx
+++ b/frontend/src/utils/markdown.tsx
@@ -19,6 +19,7 @@ export const Markdown: FC<Props> = ({ text, unique }) =>
       remarkRehypeOptions={{
         clobberPrefix: unique ? `${unique}-` : undefined,
       }}
+      disallowedElements={["img"]}
       components={{
         input: (props) => (
           <input
diff --git a/pkg/api/routes_root.go b/pkg/api/routes_root.go
index c311102..bd26bd4 100644
--- a/pkg/api/routes_root.go
+++ b/pkg/api/routes_root.go
@@ -2,7 +2,6 @@ package api
 
 import (
 	"embed"
-	"fmt"
 	"html/template"
 	"io/fs"
 	"net/http"
@@ -49,9 +48,10 @@ func (rr rootRoutes) assets(w http.ResponseWriter, r *http.Request) {
 }
 
 func (rr rootRoutes) app(w http.ResponseWriter, r *http.Request) {
-	// Hash of an empty string, which is the contents of the Emotion CSS style element used by react-select
-	emotionHash := "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="
-	w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self'; style-src 'self' '%s'", emotionHash))
+	csp := config.GetCSP()
+	if csp != "" {
+		w.Header().Add("Content-Security-Policy", csp)
+	}
 	w.Header().Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 	w.Header().Add("X-Frame-Options", "SAMEORIGIN")
 	w.Header().Add("X-Content-Type-Options", "nosniff")
diff --git a/pkg/manager/config/config.go b/pkg/manager/config/config.go
index d2efc73..9a759ab 100644
--- a/pkg/manager/config/config.go
+++ b/pkg/manager/config/config.go
@@ -119,6 +119,8 @@ type config struct {
 	Title string `mapstructure:"title"`
 
 	DraftTimeLimit int `mapstructure:"draft_time_limit"`
+
+	CSP string `mapstructure:"csp"`
 }
 
 var JWTSignKey = "jwt_secret_key"
@@ -463,3 +465,7 @@ func GetMaxIdleConns() int {
 func GetConnMaxLifetime() int {
 	return C.Postgres.MaxIdleConns
 }
+
+func GetCSP() string {
+	return C.CSP
+}