fix: CSP connect-src web.archive.org, Clipboard ohne Permission-Dialog

This commit is contained in:
2026-06-12 11:25:37 +02:00
parent 45ac6dd8c0
commit cc2d65c18f
2 changed files with 12 additions and 6 deletions

View File

@@ -33,7 +33,7 @@ app.use((_req, res, next) => {
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
"font-src 'self' https://fonts.gstatic.com",
// iCal-Feeds werden serverseitig geprosxt → nur 'self' nötig
"connect-src 'self'",
"connect-src 'self' https://web.archive.org",
// data: für Avatare (base64), google.com + gstatic.com für Favicons im QuickLinks-Widget
"img-src 'self' data: https://www.google.com https://*.gstatic.com https://image.tmdb.org",
"worker-src 'self'",

View File

@@ -94,11 +94,17 @@ export default function PaywallKiller() {
setTimeout(() => inputRef.current?.focus(), 50);
}
async function handlePaste() {
try {
const text = await navigator.clipboard.readText();
if (text) setInputUrl(text.trim());
} catch { inputRef.current?.focus(); }
function handlePaste() {
// Fokus ins Input setzen und nativen Paste auslösen kein Permission-Dialog
const input = inputRef.current;
if (!input) return;
input.focus();
// execCommand('paste') funktioniert auf Android ohne Clipboard-Permission
const ok = document.execCommand('paste');
if (!ok) {
// Fallback: nur fokussieren, User kann selbst einfügen
input.select();
}
}
const isChecking = status === 'checking';