From b9f128f8c789a9eddb8462843d7786844ec4a607 Mon Sep 17 00:00:00 2001 From: alam00000 Date: Sat, 18 Apr 2026 00:29:33 +0530 Subject: [PATCH] fix: update Content Security Policy --- docs/self-hosting/docker.md | 2 ++ scripts/generate-security-headers.mjs | 10 ++++------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/self-hosting/docker.md b/docs/self-hosting/docker.md index d3807d6..bb9246d 100644 --- a/docs/self-hosting/docker.md +++ b/docs/self-hosting/docker.md @@ -120,6 +120,8 @@ As a result: - If you configure custom WASM URLs at _runtime_ via the in-app Advanced Settings page, those origins are **not** in the CSP and the browser will block fetches to them. Runtime configuration is intended for experimentation; for permanent custom URLs set the matching `VITE_*` build arg. - Air-gapped deployments that override all three `VITE_WASM_*_URL` values also get the public `cdn.jsdelivr.net` removed from CSP (each default is replaced, not appended). Similarly, setting `VITE_CORS_PROXY_URL` replaces the public `bentopdf-cors-proxy.bentopdf.workers.dev` default. +The CSP includes `'unsafe-eval'` in `script-src` because the LibreOffice WASM runtime (used by Word/Excel/PowerPoint conversion tools) compiles internal dispatch code via `new Function()`. Removing it would break all LibreOffice-backed tools. If you build in `SIMPLE_MODE` (without LibreOffice), you can manually edit the generated `security-headers.conf` to drop `'unsafe-eval'` for a stricter policy. + For OCR, leave the `VITE_TESSERACT_*` variables empty to use the default online assets, or set all three together for self-hosted/offline OCR. Partial OCR overrides are rejected because the worker, core runtime, and traineddata directory must match. For fully offline searchable PDF output, also set `VITE_OCR_FONT_BASE_URL` so the OCR text-layer fonts are loaded from your internal server instead of the public Noto font URLs. `VITE_DEFAULT_LANGUAGE` sets the UI language for first-time visitors. Supported values: `en`, `ar`, `be`, `fr`, `de`, `es`, `zh`, `zh-TW`, `vi`, `tr`, `id`, `it`, `pt`, `nl`, `da`. Users can still switch languages — this only changes the default. diff --git a/scripts/generate-security-headers.mjs b/scripts/generate-security-headers.mjs index 2e30b8e..813e81e 100644 --- a/scripts/generate-security-headers.mjs +++ b/scripts/generate-security-headers.mjs @@ -55,14 +55,12 @@ const fontOrigins = uniq([ocrFontOrigin].filter(Boolean)); const directives = [ `default-src 'self'`, - `script-src 'self' 'wasm-unsafe-eval' ${scriptOrigins.join(' ')}`.trim(), + `script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' ${scriptOrigins.join(' ')}`.trim(), `worker-src 'self' blob:`, - `style-src 'self' 'unsafe-inline'`, + `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com`, `img-src 'self' data: blob: https:`, - fontOrigins.length - ? `font-src 'self' data: ${fontOrigins.join(' ')}` - : `font-src 'self' data:`, - `connect-src 'self' ${connectOrigins.join(' ')}`.trim(), + `font-src 'self' data: https://fonts.gstatic.com ${fontOrigins.join(' ')}`.trim(), + `connect-src 'self' https://api.github.com https://fonts.gstatic.com ${connectOrigins.join(' ')}`.trim(), `object-src 'none'`, `base-uri 'self'`, `frame-ancestors 'self'`,