From 25de5973a6fbd9b5ed7a8901aa733fef97fe5ada Mon Sep 17 00:00:00 2001
From: Gauthier Roebroeck <gauthier.roebroeck@gmail.com>
Date: Wed, 4 Jun 2025 10:37:12 +0800
Subject: [PATCH] fix(api): add CSP response header for untrusted epub
 resources

(cherry picked from commit cd257dbbe859ad42007371ae44094855fbea01f0)
---
 .../org/gotson/komga/interfaces/api/CommonBookController.kt     | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/komga/src/main/kotlin/org/gotson/komga/interfaces/api/CommonBookController.kt b/komga/src/main/kotlin/org/gotson/komga/interfaces/api/CommonBookController.kt
index 6261fd34e..061f6f9d7 100644
--- a/komga/src/main/kotlin/org/gotson/komga/interfaces/api/CommonBookController.kt
+++ b/komga/src/main/kotlin/org/gotson/komga/interfaces/api/CommonBookController.kt
@@ -281,6 +281,7 @@ class CommonBookController(
     if (ServletWebRequest(request).checkNotModified(getBookLastModified(media))) {
       return ResponseEntity
         .status(HttpStatus.NOT_MODIFIED)
+        .header("Content-Security-Policy", "script-src 'none'; object-src 'none';")
         .setNotModified(media)
         .body(ByteArray(0))
     }
@@ -305,6 +306,7 @@ class CommonBookController(
               .builder("inline")
               .filename(FilenameUtils.getName(resourceName), StandardCharsets.UTF_8)
               .build()
+          set("Content-Security-Policy", "script-src 'none'; object-src 'none';")
         },
       ).contentType(getMediaTypeOrDefault(res.mediaType))
       .setNotModified(media)