From 1ad8dc102abbb1ace43eb0fd8145c89b502e4881 Mon Sep 17 00:00:00 2001
From: Petipopotam <43313692+Petipopotam@users.noreply.github.com>
Date: Tue, 24 Jan 2023 10:51:48 +0100
Subject: [PATCH 1/2] CSP invalid syntax

CSP had some "cosmetic" errors

Before : default-src 'self'  'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data: style-src-elem 'self' blob: 'unsafe-inline';object-src: 'none';
After :    default-src 'self'  'unsafe-inline' 'unsafe-eval'; font-src 'self' data:;  img-src 'self' data:; style-src-elem 'self' blob: 'unsafe-inline'; object-src 'none';
---
 cps/web.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cps/web.py b/cps/web.py
index d2e4e32c..3166fe6f 100644
--- a/cps/web.py
+++ b/cps/web.py
@@ -85,14 +85,14 @@ def add_security_headers(resp):
     csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self'"
     if request.path.startswith("/author/") and config.config_use_goodreads:
         csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com"
-    csp += " data:"
+    csp += " data:;"
     if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive:
         csp += " *;"
     elif request.endpoint == "web.read_book":
         csp += " style-src-elem 'self' blob: 'unsafe-inline';"
     else:
         csp += ";"
-    csp += "object-src: 'none';"
+    csp += " object-src 'none';"
     resp.headers['Content-Security-Policy'] = csp
     resp.headers['X-Content-Type-Options'] = 'nosniff'
     resp.headers['X-Frame-Options'] = 'SAMEORIGIN'

From d545ea9e6fbc13a49765cf6bde0ed877c2e0bc0d Mon Sep 17 00:00:00 2001
From: Petipopotam <43313692+Petipopotam@users.noreply.github.com>
Date: Tue, 24 Jan 2023 11:03:19 +0100
Subject: [PATCH 2/2] CSP invalid to display image when web.read_book

CSP
Before : default-src 'self'  'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data:; style-src-elem 'self' blob: 'unsafe-inline'; object-src 'none';
After :    default-src 'self'  'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data: blob:; style-src-elem 'self' blob: 'unsafe-inline';object-src 'none';
---
 cps/web.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cps/web.py b/cps/web.py
index 3166fe6f..fa12db5a 100644
--- a/cps/web.py
+++ b/cps/web.py
@@ -85,11 +85,11 @@ def add_security_headers(resp):
     csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self'"
     if request.path.startswith("/author/") and config.config_use_goodreads:
         csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com"
-    csp += " data:;"
+    csp += " data:"
     if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive:
         csp += " *;"
     elif request.endpoint == "web.read_book":
-        csp += " style-src-elem 'self' blob: 'unsafe-inline';"
+        csp += " blob:; style-src-elem 'self' blob: 'unsafe-inline';"
     else:
         csp += ";"
     csp += " object-src 'none';"