0
Planned

Adjust the content-security-policy for items opened in new tab?

rickcecil 2 weeks ago updated 2 weeks ago 9

I am loving Filerun so far. The UI looks great. The plugins feature is incredibly powerful. I've just hit one snag -- and, unfortunately, it's a pretty big one for me.


I am running a local hypothes.is server and use a bookmarklet to activate the script that allows me to annotate pages. I am also using singlefile to download web pages for reading later. I wanted to use Filerun as a way to access and annotate the saved web pages. However, the issue is the content-security-policy that filerun seems to set. I would like to have the domains of my bookmarklet and hypothesis servers (they are local to my network) be included in the content-security-policy so I can make all this work.

I've tried a few things (from setting it in my proxy server to the htaccess to the "open in new tab" plugin), but clearly haven't stumbled onto the right way to make this work.


Any help would be greatly appreciated.

Under review

You are asking to open FileRun to a major security risk. This will not be allowed in a multiuser environment.

Perhaps there will be a config option that could be added for this, for cases where you know exactly what you are doing and there aren't other people using your FileRun instance.

Better to just save your webpages as PDF.

> Better to just save your webpages as PDF.

That is also an option that I am exploring. There are several other, separate issues that I am running into, though. At this point, I am just exploring both options. 

Ideally, I would have a script that would export a list of links either via singlefile or PDF. I am fine with either. And then use FileRun to open them via PDF.js and annotate them via Hypothesis.

FWIW, the reason I want to use PDF.js rather than the browser's default PDF reader is because mobile safari does not allow bookmarklets to run on PDF files opened in the default PDF reader, but will allow it to run if I use PDF.js.


Thanks!

I'm planning to add a PDFJS plugin to FileRun as well, to be used with mobile browsers which do not render PDF.

I'll post my plugin code to Github and link to it from here over the weekend. The only caveat being that I am not a programmer, so it is cobbled together from bits and pieces from a few other plugins -- mainly the epub.js plugin. 

> You are asking to open FileRun to a major security risk. This will not be 

> allowed in a multiuser environment. Perhaps there will be a config option 

> that could be added for this, for cases where you know exactly what you are 

> doing and there aren't other people using your FileRun instance.

100% understand the that this would not be suitable for a multi-user environment. And I can see why you would be hesitant to add this functionality at all.

For reference, I have a single-user environment that is only accessible from my home network. My hope was that by specifying exactly which domains it could run scripts from -- rather than giving all HTML files the ability to run scripts -- it would limit my exposure.

Not saying that this is the right solution, but here is a similar feature in Calibre-Web:

https://github.com/janeczku/calibre-web/issues/2372

Planned

Fair enough. I'll add to the todo list the option of adding trusted domains.

Just realized that I wasn't signed in when I made those last two posts. But the above posts from "anonymous" are from me...