feat(web): add content security policy (CSP)

2026-01-25 19:04:42 -08:00 · 2026-01-20 14:01:46 +01:00
parent 99bd7d5f27
commit 34906d636d
2 changed files with 10 additions and 1 deletions
--- a/web/src/app.html
+++ b/web/src/app.html
@@ -66,7 +66,7 @@
        background-color: black;
      }
    </style>
-    <script>
+    <script nonce="%sveltekit.nonce%">
      /**
       * Prevent FOUC on page load.
       */
--- a/web/svelte.config.js
+++ b/web/svelte.config.js
@@ -31,6 +31,15 @@ const config = {
      $i18n: '../i18n',
      'chromecast-caf-sender': './node_modules/@types/chromecast-caf-sender/index.d.ts',
    },
+    csp: {
+      directives: {
+        'default-src': ['self'],
+        'connect-src': ['self', 'blob:', 'https://*.immich.cloud', 'https://*.maptiler.com'], // TODO: check if custom maptiler json works
+        'img-src': ['self', 'blob:', 'data:'],
+        'script-src': ['self', 'wasm-unsafe-eval', 'https://*.gstatic.com'],
+        'worker-src': ['self', 'blob:'],
+      },
+    },
  },
 };