From f3f23abd4e4bb886fbf4bc941e76f8adc9845dee Mon Sep 17 00:00:00 2001 From: nesquena-hermes Date: Thu, 16 Apr 2026 23:34:21 -0700 Subject: [PATCH] =?UTF-8?q?fix(csp):=20allow=20external=20https=20images?= =?UTF-8?q?=20in=20img-src=20=E2=80=94=20closes=20#608?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Hermes Agent --- CHANGELOG.md | 5 +++++ api/helpers.py | 2 +- static/index.html | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 062da02..03c1756 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Hermes Web UI -- Changelog +## [v0.50.76] — 2026-04-17 + +### Fixed +- **CSP blocked external images in chat** — `img-src` in the Content Security Policy was restricted to `'self'` and `data:`, causing the browser to block any external image URLs (e.g. from Wikipedia, GitHub, or other HTTPS sources) that the agent rendered in a response. Expanded to `img-src 'self' data: https: blob:` so external images load correctly. (Closes #608) + ## [v0.50.75] — 2026-04-17 ### Fixed diff --git a/api/helpers.py b/api/helpers.py index 92c024c..95c7a0e 100644 --- a/api/helpers.py +++ b/api/helpers.py @@ -45,7 +45,7 @@ def _security_headers(handler): "default-src 'self'; " "script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; " "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; " - "img-src 'self' data:; font-src 'self' data: https://cdn.jsdelivr.net; connect-src 'self'; " + "img-src 'self' data: https: blob:; font-src 'self' data: https://cdn.jsdelivr.net; connect-src 'self'; " "base-uri 'self'; form-action 'self'" ) handler.send_header( diff --git a/static/index.html b/static/index.html index 9e378c3..21bc73c 100644 --- a/static/index.html +++ b/static/index.html @@ -561,7 +561,7 @@
System
Instance version and access controls.
- v0.50.75 + v0.50.76