cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(csp): allow workshop preview thumbnails from steamusercontent.com

Browse source 
Steam serves workshop preview images from images.steamusercontent.com,
which the previous img-src whitelist did not cover, so the browser
silently blocked every <img> in _overlay_item_table.html.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
mwiegand 2026-05-16 11:22:30 +02:00
parent b04bcbce7c
commit 6cef55f900
No known key found for this signature in database
2 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
l4d2web/l4d2web/app.py
View file

@ -93,14 +93,14 @@ def create_app(test_config: dict[str, object] | None = None) -> Flask:
nonce = getattr(g, "csp_nonce", "") nonce = getattr(g, "csp_nonce", "")
# script-src nonce blocks inline XSS; style 'unsafe-inline' kept for # script-src nonce blocks inline XSS; style 'unsafe-inline' kept for
# htmx's auto-injected indicator styles. img/data: for SVG icons. # htmx's auto-injected indicator styles. img/data: for SVG icons.
# *.steamstatic.com covers Steam avatar hosts (avatars.steamstatic.com # *.steamstatic.com covers Steam avatar hosts; *.steamusercontent.com
# plus the cloudflare/akamai/fastly mirrors they rotate through). # serves Workshop item preview thumbnails.
response.headers.setdefault( response.headers.setdefault(
"Content-Security-Policy", "Content-Security-Policy",
"default-src 'self'; " "default-src 'self'; "
f"script-src 'self' 'nonce-{nonce}'; " f"script-src 'self' 'nonce-{nonce}'; "
"style-src 'self' 'unsafe-inline'; " "style-src 'self' 'unsafe-inline'; "
"img-src 'self' data: https://*.steamstatic.com; " "img-src 'self' data: https://*.steamstatic.com https://*.steamusercontent.com; "
"connect-src 'self'; " "connect-src 'self'; "
"frame-ancestors 'none'; " "frame-ancestors 'none'; "
"base-uri 'self'; " "base-uri 'self'; "

4
l4d2web/tests/test_security.py
View file

@ -81,8 +81,10 @@ def test_security_headers_present(client) -> None:
assert "form-action 'self'" in csp assert "form-action 'self'" in csp
# Steam avatar CDN must be explicitly allowed; otherwise the browser # Steam avatar CDN must be explicitly allowed; otherwise the browser
# silently blocks the avatar <img> loads and the live-state grid shows # silently blocks the avatar <img> loads and the live-state grid shows
# placeholder circles with names but no faces. # placeholder circles with names but no faces. Workshop preview thumbnails
# live on a separate host (*.steamusercontent.com) and must also be allowed.
assert "img-src 'self' data: https://*.steamstatic.com" in csp assert "img-src 'self' data: https://*.steamstatic.com" in csp
assert "https://*.steamusercontent.com" in csp
def test_csp_nonce_matches_inline_script(client) -> None: def test_csp_nonce_matches_inline_script(client) -> None: