k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 14:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): allow same-origin PDF previews under CSP (#1253)

Browse Source 
Firefox/Chrome enforce object-src, so object-src 'none' blocked the inline <object> PDF preview (worked only in Safari). Relax to 'self' for same-origin file previews.
This commit is contained in:
Maurice
2026-06-19 17:56:26 +02:00
parent 0b995cfd55
commit f8c77bff8e
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/middleware/globalMiddleware.ts
+3 -1
View File
@@ -119,7 +119,9 @@ export function applyGlobalMiddleware(
workerSrc: ["'self'", "blob:"],
childSrc: ["'self'", "blob:"],
fontSrc: ["'self'", "https://fonts.gstatic.com", "data:"],
objectSrc: ["'none'"],
// 'self' so same-origin file previews can embed PDFs via <object>/<embed>
// (Firefox/Chrome enforce object-src; 'none' broke inline PDF previews there).
objectSrc: ["'self'"],
frameSrc: ["'none'"],
frameAncestors: ["'self'"],
// Restrict <form> submission targets (form-action has no default-src