fix(csp): support CivitAI CDN subdomains for example images (#822)

- Update CSP whitelist to use wildcard *.civitai.com for all CDN subdomains
- Fix hostname parsing to use parsed.hostname instead of parsed.netloc (handles ports)
- Update rewrite_preview_url() to support all CivitAI CDN subdomains
- Update rewriteCivitaiUrl() frontend function to support subdomains
- Add comprehensive tests for edge cases (ports, subdomains, invalid URLs)
- Add security note explaining wildcard CSP design decision

Fixes CSP blocking of images from image-b2.civitai.com and other CDN subdomains

py/middleware/csp_middleware.py

@@ -4,15 +4,21 @@ from typing import Awaitable, Callable, Dict, List
 
 from aiohttp import web
 
+# Use wildcard for CivitAI to support their CDN subdomains (e.g., image-b2.civitai.com)
+# Security note: This is acceptable because:
+# 1. CSP img-src only controls image/video loading, not script execution
+# 2. All *.civitai.com subdomains are controlled by Civitai
+# 3. Explicit domain list would require constant updates as Civitai adds CDN nodes
 REMOTE_MEDIA_SOURCES = (
-    "https://image.civitai.com",
+    "https://*.civitai.com",
     "https://img.genur.art",
 )
 
 
 @web.middleware
 async def relax_csp_for_remote_media(
-    request: web.Request, handler: Callable[[web.Request], Awaitable[web.StreamResponse]]
+    request: web.Request,
+    handler: Callable[[web.Request], Awaitable[web.StreamResponse]],
 ) -> web.StreamResponse:
     """Allow LoRA Manager media previews to load from trusted remote domains.
 
@@ -43,7 +49,9 @@ async def relax_csp_for_remote_media(
             directive_order.append(name)
         directives[name] = values
 
-    def merge_sources(name: str, sources: List[str], defaults: List[str] | None = None) -> None:
+    def merge_sources(
+        name: str, sources: List[str], defaults: List[str] | None = None
+    ) -> None:
         existing = directives.get(name, list(defaults or []))
 
         for source in sources:

py/utils/civitai_utils.py

@@ -22,7 +22,9 @@ def _normalize_commercial_values(value: Any) -> Sequence[str]:
 
     def _split_aggregate(value_str: str) -> list[str]:
         stripped = value_str.strip()
-        looks_aggregate = "," in stripped or (stripped.startswith("{") and stripped.endswith("}"))
+        looks_aggregate = "," in stripped or (
+            stripped.startswith("{") and stripped.endswith("}")
+        )
         if not looks_aggregate:
             return [value_str]
 
@@ -141,14 +143,18 @@ def build_license_flags(payload: Mapping[str, Any] | None) -> int:
     return flags
 
 
-def resolve_license_info(model_data: Mapping[str, Any] | None) -> tuple[Dict[str, Any], int]:
+def resolve_license_info(
+    model_data: Mapping[str, Any] | None,
+) -> tuple[Dict[str, Any], int]:
     """Return normalized license payload and its encoded bitset."""
 
     payload = resolve_license_payload(model_data)
     return payload, build_license_flags(payload)
 
 
-def rewrite_preview_url(source_url: str | None, media_type: str | None = None) -> tuple[str | None, bool]:
+def rewrite_preview_url(
+    source_url: str | None, media_type: str | None = None
+) -> tuple[str | None, bool]:
     """Rewrite Civitai preview URLs to use optimized renditions.
 
     Args:
@@ -168,7 +174,12 @@ def rewrite_preview_url(source_url: str | None, media_type: str | None = None) -
     except ValueError:
         return source_url, False
 
-    if parsed.netloc.lower() != "image.civitai.com":
+    hostname = parsed.hostname
+    if hostname is None:
+        return source_url, False
+
+    hostname = hostname.lower()
+    if hostname == "civitai.com" or not hostname.endswith(".civitai.com"):
         return source_url, False
 
     replacement = "/width=450,optimized=true"