diff --git a/l4d2web/l4d2web/app.py b/l4d2web/l4d2web/app.py index 86e3113..0fce842 100644 --- a/l4d2web/l4d2web/app.py +++ b/l4d2web/l4d2web/app.py @@ -93,14 +93,14 @@ def create_app(test_config: dict[str, object] | None = None) -> Flask: nonce = getattr(g, "csp_nonce", "") # script-src nonce blocks inline XSS; style 'unsafe-inline' kept for # htmx's auto-injected indicator styles. img/data: for SVG icons. - # *.steamstatic.com covers Steam avatar hosts (avatars.steamstatic.com - # plus the cloudflare/akamai/fastly mirrors they rotate through). + # *.steamstatic.com covers Steam avatar hosts; *.steamusercontent.com + # serves Workshop item preview thumbnails. response.headers.setdefault( "Content-Security-Policy", "default-src 'self'; " f"script-src 'self' 'nonce-{nonce}'; " "style-src 'self' 'unsafe-inline'; " - "img-src 'self' data: https://*.steamstatic.com; " + "img-src 'self' data: https://*.steamstatic.com https://*.steamusercontent.com; " "connect-src 'self'; " "frame-ancestors 'none'; " "base-uri 'self'; " diff --git a/l4d2web/tests/test_security.py b/l4d2web/tests/test_security.py index b3db104..d3af5f0 100644 --- a/l4d2web/tests/test_security.py +++ b/l4d2web/tests/test_security.py @@ -81,8 +81,10 @@ def test_security_headers_present(client) -> None: assert "form-action 'self'" in csp # Steam avatar CDN must be explicitly allowed; otherwise the browser # silently blocks the avatar loads and the live-state grid shows - # placeholder circles with names but no faces. + # placeholder circles with names but no faces. Workshop preview thumbnails + # live on a separate host (*.steamusercontent.com) and must also be allowed. assert "img-src 'self' data: https://*.steamstatic.com" in csp + assert "https://*.steamusercontent.com" in csp def test_csp_nonce_matches_inline_script(client) -> None: