Content-Security-Policy of images with GDrive on epub reader wrong

janeczku / calibre-web

:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database

GNU General Public License v3.0

13.19k stars 1.41k forks source link

Content-Security-Policy of images with GDrive on epub reader wrong #3108

Closed mudream4869 closed 3 months ago

mudream4869 commented 4 months ago

Describe the bug/problem

The image in epub viewer doesn't show due to Content Security Policy.

Refused to load the stylesheet 'blob:http://localhost:8083/acb1e319-44e0-4e50-a62a-2e8ddd1ea961' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Relative: https://github.com/janeczku/calibre-web/issues/3060

OzzieIsaacs commented 4 months ago

Could you please send me the book in question via private email (email address from my profile page). I'd like to reproduce the issue myself

mudream4869 commented 4 months ago

https://github.com/janeczku/calibre-web/blob/a0728b07d05785e60995656cf894c86ff96874ff/cps/web.py#L100

It seems this bug will appear when google drive API is enabled.

An epub3 sample book: Accessible EPUB 3 can reproduce this bug.

I have a hot-fix and it just works for my conditions, but I'm not sure if its logic is ok.

    if request.endpoint == "edit-book.show_edit_book":
        csp += " *;"
    elif request.endpoint == "web.read_book":
        csp += " blob:; style-src-elem 'self' blob: 'unsafe-inline';"
    elif config.config_use_google_drive:
        csp += " *;"
    else:
        csp += ";"
    csp += " object-src 'none';"

OzzieIsaacs commented 4 months ago

Please check the newest nightly version, should work now (hopefully without side effects)