fix(csp): support CivitAI CDN subdomains for example images (#822)

- Update CSP whitelist to use wildcard *.civitai.com for all CDN subdomains
- Fix hostname parsing to use parsed.hostname instead of parsed.netloc (handles ports)
- Update rewrite_preview_url() to support all CivitAI CDN subdomains
- Update rewriteCivitaiUrl() frontend function to support subdomains
- Add comprehensive tests for edge cases (ports, subdomains, invalid URLs)
- Add security note explaining wildcard CSP design decision

Fixes CSP blocking of images from image-b2.civitai.com and other CDN subdomains

static/js/utils/civitaiUtils.js

@@ -30,8 +30,9 @@ export function rewriteCivitaiUrl(sourceUrl, mediaType = null, mode = Optimizati
     try {
         const url = new URL(sourceUrl);
         
-        // Check if it's a CivitAI image domain
-        if (url.hostname.toLowerCase() !== 'image.civitai.com') {
+        // Check if it's a CivitAI CDN domain (supports all subdomains like image-b2.civitai.com)
+        const hostname = url.hostname.toLowerCase();
+        if (hostname === 'civitai.com' || !hostname.endsWith('.civitai.com')) {
             return [sourceUrl, false];
         }
 
@@ -112,7 +113,8 @@ export function isCivitaiUrl(url) {
     if (!url) return false;
     try {
         const parsed = new URL(url);
-        return parsed.hostname.toLowerCase() === 'image.civitai.com';
+        const hostname = parsed.hostname.toLowerCase();
+        return hostname.endsWith('.civitai.com') && hostname !== 'civitai.com';
     } catch (e) {
         return false;
     }