alphard/ComfyUI-Lora-Manager
1
0
Fork 0
mirror of https://github.com/willmiao/ComfyUI-Lora-Manager.git synced 2026-04-10 04:42:14 -03:00
Code Issues Packages Projects Releases Wiki Activity

fix(csp): support CivitAI CDN subdomains for example images (#822)

Browse Source 
- Update CSP whitelist to use wildcard *.civitai.com for all CDN subdomains
- Fix hostname parsing to use parsed.hostname instead of parsed.netloc (handles ports)
- Update rewrite_preview_url() to support all CivitAI CDN subdomains
- Update rewriteCivitaiUrl() frontend function to support subdomains
- Add comprehensive tests for edge cases (ports, subdomains, invalid URLs)
- Add security note explaining wildcard CSP design decision

Fixes CSP blocking of images from image-b2.civitai.com and other CDN subdomains
This commit is contained in:
Will Miao
2026-04-03 09:40:15 +08:00
parent 05636712f0
commit 30db8c3d1d
6 changed files with 236 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
tests/middleware/test_csp_middleware.py
View File

@@ -2,7 +2,10 @@ import pytest
from aiohttp import web
from aiohttp.test_utils import make_mocked_request
from py.middleware.csp_middleware import REMOTE_MEDIA_SOURCES, relax_csp_for_remote_media
from py.middleware.csp_middleware import (
REMOTE_MEDIA_SOURCES,
relax_csp_for_remote_media,
)
DEFAULT_CSP = (
"default-src 'self'; "
@@ -40,7 +43,9 @@ async def _invoke_middleware(
@pytest.mark.asyncio
async def test_relax_csp_appends_remote_sources_and_preserves_existing_directives() -> None:
async def test_relax_csp_appends_remote_sources_and_preserves_existing_directives() -> (
None
):
response = await _invoke_middleware("/some-path", web.Response())
header_value = response.headers.get("Content-Security-Policy")
assert header_value is not None
@@ -48,16 +53,17 @@ async def test_relax_csp_appends_remote_sources_and_preserves_existing_directive
directives = _parse_directives(header_value)
# Existing directives remain intact
assert directives["script-src"] == ["'self'", "'unsafe-inline'", "'unsafe-eval'", "blob:"]
assert directives["script-src"] == [
"'self'",
"'unsafe-inline'",
"'unsafe-eval'",
"blob:",
]
assert directives["img-src"][:3] == ["'self'", "data:", "blob:"]
# Remote media hosts are added once to the relevant directives
for source in REMOTE_MEDIA_SOURCES:
assert source in directives["img-src"]
assert "media-src" in directives
assert directives["media-src"][0] == "'self'"
for source in REMOTE_MEDIA_SOURCES:
assert source in directives["media-src"]