From c6bf62a6ebe38ea6b09b28fd72dd15520c640c37 Mon Sep 17 00:00:00 2001
From: cbartondock <cbartondock@gmail.com>
Date: Fri, 22 Oct 2021 15:35:10 -0400
Subject: [PATCH] The recent changes to content security policy broke custom
 theming. I fixed it by adding a trusted hosts field to Server Configuration

---
 cps/admin.py                   | 2 +-
 cps/config_sql.py              | 2 +-
 cps/templates/config_edit.html | 4 ++++
 cps/web.py                     | 2 +-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/cps/admin.py b/cps/admin.py
index 2f377187..557d0255 100644
--- a/cps/admin.py
+++ b/cps/admin.py
@@ -1199,7 +1199,7 @@ def _configuration_update_helper():
     to_save = request.form.to_dict()
     try:
         reboot_required |= _config_int(to_save, "config_port")
-
+        reboot_required |= _config_string(to_save, "config_trustedhosts")
         reboot_required |= _config_string(to_save, "config_keyfile")
         if config.config_keyfile and not os.path.isfile(config.config_keyfile):
             return _configuration_result(_('Keyfile Location is not Valid, Please Enter Correct Path'))
diff --git a/cps/config_sql.py b/cps/config_sql.py
index 0b45059d..ebc4ca24 100644
--- a/cps/config_sql.py
+++ b/cps/config_sql.py
@@ -66,7 +66,7 @@ class _Settings(_Base):
     config_external_port = Column(Integer, default=constants.DEFAULT_PORT)
     config_certfile = Column(String)
     config_keyfile = Column(String)
-
+    config_trustedhosts = Column(String,default='')
     config_calibre_web_title = Column(String, default=u'Calibre-Web')
     config_books_per_page = Column(Integer, default=60)
     config_random_books = Column(Integer, default=4)
diff --git a/cps/templates/config_edit.html b/cps/templates/config_edit.html
index 8cd0034e..4d6c68ce 100644
--- a/cps/templates/config_edit.html
+++ b/cps/templates/config_edit.html
@@ -46,6 +46,10 @@
               <option value="2" {% if config.config_updatechannel == 2 %}selected{% endif %}>{{_('Nightly')}}</option>
             </select>
         </div>
+        <div class="form-group">
+          <label for="config_trustedhosts">{{_('Trusted Hosts (Comma Separated)')}}</label>
+          <input type="text" class="form-control" id="config_trustedhosts" name="config_trustedhosts" value="{% if config.trustedhosts != None %}{{ config.config_trustedhosts }}{% endif %}" autocomplete="off">
+        </div>
       </div>
     </div>
   </div>
diff --git a/cps/web.py b/cps/web.py
index 80a684fa..674e149a 100644
--- a/cps/web.py
+++ b/cps/web.py
@@ -82,7 +82,7 @@ except ImportError:
 
 @app.after_request
 def add_security_headers(resp):
-    resp.headers['Content-Security-Policy'] = "default-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data:"
+    resp.headers['Content-Security-Policy'] = "default-src 'self'" + ''.join([' '+host for host in config.config_trustedhosts.strip().split(',')]) + " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data:"
     if request.endpoint == "editbook.edit_book" or config.config_use_google_drive:
         resp.headers['Content-Security-Policy'] += " *"
     resp.headers['X-Content-Type-Options'] = 'nosniff'