[PR #25389] feat(web): add content security policy (CSP) #18190

Open
opened 2026-02-05 16:34:12 +03:00 by OVERLORD · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/immich-app/immich/pull/25389
Author: @meesfrensel
Created: 1/20/2026
Status: 🔄 Open

Base: mainHead: feat/csp


📝 Commits (1)

  • 34906d6 feat(web): add content security policy (CSP)

📊 Changes

2 files changed (+10 additions, -1 deletions)

View changed files

📝 web/src/app.html (+1 -1)
📝 web/svelte.config.js (+9 -0)

📄 Description

Description

Adds CSP config to svelte config which in turn generates and adds the Content-Security-Policy header.

Fixes #23261
Closes #24633

Related discussion on how to setup CSP and other security measures on the proxy side: #13043

(not sure what to do about the docker build failure)

How Has This Been Tested?

  • Navigate to all pages within Immich checking the console for CSP errors, including the map, hovering over all types of assets, opening the asset viewer for all types of assets (e.g. photo sphere viewer does some weird blob loading), etc.
  • Service worker loads
  • Justified layout wasm loads
  • Enable Google cast support which requires the gstatic.com domain
  • UNTESTED: custom map styles

Please describe to which degree, if any, an LLM was used in creating this pull request.

None


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/immich-app/immich/pull/25389 **Author:** [@meesfrensel](https://github.com/meesfrensel) **Created:** 1/20/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `feat/csp` --- ### 📝 Commits (1) - [`34906d6`](https://github.com/immich-app/immich/commit/34906d636dd28dc044f9fc18687730356e67fd83) feat(web): add content security policy (CSP) ### 📊 Changes **2 files changed** (+10 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `web/src/app.html` (+1 -1) 📝 `web/svelte.config.js` (+9 -0) </details> ### 📄 Description ## Description Adds CSP config to svelte config which in turn generates and adds the Content-Security-Policy header. Fixes #23261 Closes #24633 Related discussion on how to setup CSP and other security measures on the proxy side: #13043 (not sure what to do about the docker build failure) ## How Has This Been Tested? - Navigate to all pages within Immich checking the console for CSP errors, including the map, hovering over all types of assets, opening the asset viewer for all types of assets (e.g. photo sphere viewer does some weird blob loading), etc. - Service worker loads - Justified layout wasm loads - Enable Google cast support which requires the gstatic.com domain - UNTESTED: custom map styles ## Please describe to which degree, if any, an LLM was used in creating this pull request. None --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-05 16:34:12 +03:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#18190