feat: add CSP middleware to allow remote media previews, fixes #710, see #715

Introduce `relax_csp_for_remote_media` middleware that modifies Content Security Policy headers to permit loading media from trusted external domains (Civitai and Genur). This is necessary for LoRA Manager UI previews when ComfyUI runs with `--disable-api-nodes`, which otherwise blocks remote images and videos. The middleware is inserted after ComfyUI's `block_external_middleware` to properly extend the restrictive CSP header.
2026-03-24 06:32:12 -03:00 · 2025-12-09 10:37:35 +08:00
parent 5000478991
commit 74bfd397aa
3 changed files with 152 additions and 0 deletions
--- a/py/lora_manager.py
+++ b/py/lora_manager.py
@@ -17,6 +17,7 @@ from .services.settings_manager import get_settings_manager
 from .utils.example_images_migration import ExampleImagesMigration
 from .services.websocket_manager import ws_manager
 from .services.example_images_cleanup_service import ExampleImagesCleanupService
+from .middleware.csp_middleware import relax_csp_for_remote_media

 logger = logging.getLogger(__name__)

@@ -62,6 +63,23 @@ class LoraManager:
        """Initialize and register all routes using the new refactored architecture"""
        app = PromptServer.instance.app

+        if relax_csp_for_remote_media not in app.middlewares:
+            # Ensure CSP relaxer executes after ComfyUI's block_external_middleware so it can
+            # see and extend the restrictive header instead of being overwritten by it.
+            block_middleware_index = next(
+                (
+                    idx
+                    for idx, middleware in enumerate(app.middlewares)
+                    if getattr(middleware, "__name__", "") == "block_external_middleware"
+                ),
+                None,
+            )
+
+            if block_middleware_index is None:
+                app.middlewares.append(relax_csp_for_remote_media)
+            else:
+                app.middlewares.insert(block_middleware_index, relax_csp_for_remote_media)
+
        # Increase allowed header sizes so browsers with large localhost cookie
        # jars (multiple UIs on 127.0.0.1) don't trip aiohttp's 8KB default
        # limits. Cookies for unrelated apps are still sent to the plugin and