marcel/familienarchiv
1
0
Fork 0
Code Issues 119 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

docs(caddy): note future CSP must allow wasm-unsafe-eval for pdf.js

Browse Source 
If a Content-Security-Policy is ever added, it must permit
'wasm-unsafe-eval' (script-src) and 'self' blob: (worker-src) or the
pdf.js wasm decoders and worker break and scanned PDFs render blank.
Forward-looking note so the future CSP author doesn't silently
reintroduce #708.

Refs #708

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-06-01 20:17:08 +02:00
committed by marcel
parent e8e57d2712
commit b8e01f997d
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
infra/caddy/Caddyfile
View File

@@ -22,6 +22,10 @@
# XSS landing in a privileged origin: a payload cannot silently turn # XSS landing in a privileged origin: a payload cannot silently turn
# on the microphone or read geolocation. # on the microphone or read geolocation.
Permissions-Policy "camera=(), microphone=(), geolocation=()" Permissions-Policy "camera=(), microphone=(), geolocation=()"
# No Content-Security-Policy is set yet. When one is added, it MUST
# include `script-src 'wasm-unsafe-eval'` and `worker-src 'self' blob:`
# or the pdf.js WebAssembly image decoders (JBIG2/CCITTFax/JPEG2000)
# and worker will be blocked and scanned PDFs render blank. See #708.
-Server -Server
} }
} }