Make CSP header configurable, and disable images in markdown (#964)

InfiniteStash · web-flow · commit 6666e8eba2a6 · 2025-06-06T13:41:20.000+02:00
diff --git a/README.md b/README.md
@@ -108,6 +108,7 @@ There are two ways to authenticate a user in Stash-box: a session or an API key.
 | `postgres.conn_max_lifetime` | (0) | Maximum lifetime in minutes before a connection is released. |
 | `require_scene_draft` | false | Whether to allow scene creation outside of draft submissions. |
 | `require_tag_role` | false | Whether to require the EditTag role to edit tags. |
+| `csp` | (none) | Contents of the `Content-Security-Policy` header |
 
 ## SSL (HTTPS)
 
diff --git a/frontend/src/utils/markdown.tsx b/frontend/src/utils/markdown.tsx
@@ -19,6 +19,7 @@ export const Markdown: FC<Props> = ({ text, unique }) =>
       remarkRehypeOptions={{
         clobberPrefix: unique ? `${unique}-` : undefined,
       }}
+      disallowedElements={["img"]}
       components={{
         input: (props) => (
           <input
diff --git a/pkg/api/routes_root.go b/pkg/api/routes_root.go
@@ -2,7 +2,6 @@ package api
 
 import (
 	"embed"
-	"fmt"
 	"html/template"
 	"io/fs"
 	"net/http"
@@ -49,9 +48,10 @@ func (rr rootRoutes) assets(w http.ResponseWriter, r *http.Request) {
 }
 
 func (rr rootRoutes) app(w http.ResponseWriter, r *http.Request) {
-	// Hash of an empty string, which is the contents of the Emotion CSS style element used by react-select
-	emotionHash := "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="
-	w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self'; style-src 'self' '%s'", emotionHash))
+	csp := config.GetCSP()
+	if csp != "" {
+		w.Header().Add("Content-Security-Policy", csp)
+	}
 	w.Header().Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 	w.Header().Add("X-Frame-Options", "SAMEORIGIN")
 	w.Header().Add("X-Content-Type-Options", "nosniff")
diff --git a/pkg/manager/config/config.go b/pkg/manager/config/config.go
@@ -119,6 +119,8 @@ type config struct {
 	Title string `mapstructure:"title"`
 
 	DraftTimeLimit int `mapstructure:"draft_time_limit"`
+
+	CSP string `mapstructure:"csp"`
 }
 
 var JWTSignKey = "jwt_secret_key"
@@ -463,3 +465,7 @@ func GetMaxIdleConns() int {
 func GetConnMaxLifetime() int {
 	return C.Postgres.MaxIdleConns
 }
+
+func GetCSP() string {
+	return C.CSP
+}

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,8 @@ type config struct {`
`119`	`119`	Title string `mapstructure:"title"`
`120`	`120`
`121`	`121`	DraftTimeLimit int `mapstructure:"draft_time_limit"`
	`122`	`+`
	`123`	+ CSP string `mapstructure:"csp"`
`122`	`124`	`}`
`123`	`125`
`124`	`126`	`var JWTSignKey = "jwt_secret_key"`
`@@ -463,3 +465,7 @@ func GetMaxIdleConns() int {`
`463`	`465`	`func GetConnMaxLifetime() int {`
`464`	`466`	`return C.Postgres.MaxIdleConns`
`465`	`467`	`}`
	`468`	`+`
	`469`	`+func GetCSP() string {`
	`470`	`+ return C.CSP`
	`471`	`+}`