From 80f278a74c645c6a6b56227a1a921866bc4ce94d Mon Sep 17 00:00:00 2001
From: Matthew Pomes <matthew.pomes@pm.me>
Date: Wed, 8 Oct 2025 00:43:24 -0500
Subject: [PATCH] Use nginx variable to build CSP

---
 nginx/sites-enabled/karakeep | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/nginx/sites-enabled/karakeep b/nginx/sites-enabled/karakeep
index 2a4d886..197cdbc 100644
--- a/nginx/sites-enabled/karakeep
+++ b/nginx/sites-enabled/karakeep
@@ -40,7 +40,10 @@ server {
     # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
     # Enforces https content and restricts JS/CSS to origin
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* data: ; style-src 'self' 'unsafe-inline' data:; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:; worker-src 'self' blob: data:; connect-src 'self' data:; object-src 'none' data:; frame-ancestors 'self' data:; font-src 'self' data:";
+    set $CSP "default-src https: data: blob:";
+    set $CSP "$CSP; img-src 'self' https://* data:";
+    # add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* data: ; style-src 'self' 'unsafe-inline' data:; style-src-elem data:; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:; worker-src 'self' blob: data:; connect-src 'self' data:; object-src 'none' data:; frame-ancestors 'self' data:; font-src 'self' data:";
+    add_header Content-Security-Policy $CSP;
 
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;