fix(webapp): add CSP_OBJECT_SRC for PDF blob preview

[yacosta738]

Summary

• Add CSP_OBJECT_SRC environment variable to allow 'self' blob: for PDF preview
• Fixes CSP object-src 'none' directive blocking PDF preview using <object> tag with blob URLs

Problem

The PDF preview in the Resume Generator page uses <object type="application/pdf"> with a blob URL created by URL.createObjectURL(). The previous CSP policy had object-src 'none' which blocked this.

Solution

Make object-src configurable via CSP_OBJECT_SRC environment variable, defaulting to 'self' blob: to allow PDF blob URLs while maintaining security.

Changes

• security-headers.conf.template: Use ${CSP_OBJECT_SRC} instead of hardcoded 'none'
• docker-entrypoint.sh: Validate and substitute CSP_OBJECT_SRC
• Dockerfile: Add default CSP_OBJECT_SRC="'self' blob:"
• .env.example: Document the new variable

Deployment

After merging, set in Dokploy:

CSP_OBJECT_SRC="'self' blob:"

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added support for PDF previews and embedded multimedia content through enhanced security policy handling.

• Security

  • Updated Content Security Policy configuration to enable secure blob URL sources for embedded objects and media, maintaining strict security controls while expanding multimedia support capabilities.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

This PR introduces the CSP_OBJECT_SRC environment variable across the application's configuration and deployment stack to support object/embed element policies, specifically enabling blob URLs for PDF preview functionality.

Changes

Cohort / File(s)	Summary
Environment & Docker Configuration .env.example, client/apps/webapp/Dockerfile	Added CSP_OBJECT_SRC directive with value 'self' blob: to enable blob URLs for PDF previews; includes explanatory comments for clarity
Runtime Configuration Processing client/apps/webapp/docker-entrypoint.sh	Added validation check for CSP_OBJECT_SRC as a required environment variable; integrated into pre-flight checks, error messaging, and envsubst substitutions for config template rendering
Security Headers Template client/apps/webapp/security-headers.conf.template	Updated Content-Security-Policy header to use ${CSP_OBJECT_SRC} template variable, replacing hardcoded 'none' value for object-src directive

Estimated Code Review Effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• fix: csp connect src #463: Follows an identical CSP configuration variable addition pattern (CSP_CONNECT_SRC) across the same set of files—serving as a parallel precedent for this change.

Suggested labels

frontend, security, documentation

Suggested reviewers

• yuniel-acosta

Poem

🔐 A blob-bound object takes its place,
CSP directives find their space,
PDF previews now have their say,
Security configs lead the way! 📄✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Coverage	⚠️ Warning	PR introduces configuration validation and CSP header modifications without accompanying integration or E2E tests to verify correct behavior.	Add integration tests for environment variable validation and nginx template substitution; add E2E tests verifying PDF preview functionality with new CSP policy.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with 'fix' prefix and a clear description of the change related to CSP_OBJECT_SRC for PDF blob preview.
Description check	✅ Passed	The description comprehensively explains the problem, solution, and changes made, directly corresponding to the changeset modifications across all four affected files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Clean Architecture Compliance	✅ Passed	Clean Architecture compliance check not applicable; PR contains only infrastructure and deployment configuration changes without modifications to application code layers.
Security Review	✅ Passed	PR introduces CSP configuration changes without security vulnerabilities. No secrets committed; all values are non-sensitive placeholders with explicit warnings against real credentials.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/csp-object-src

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cloudflare-workers-and-pages]

Deploying cvix with    Cloudflare Pages

Latest commit:	fbd3ecf
Status:	✅  Deploy successful!
Preview URL:	https://52401f6a.cvix.pages.dev
Branch Preview URL:	https://fix-csp-object-src.cvix.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between bac5284 and fbd3ecf.

📒 Files selected for processing (4)

• .env.example
• client/apps/webapp/Dockerfile
• client/apps/webapp/docker-entrypoint.sh
• client/apps/webapp/security-headers.conf.template

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-20T14:56:41.648Z

Learnt from: CR
Repo: dallay/cvix PR: 0
File: .ruler/frontend/html-css.md:0-0
Timestamp: 2025-12-20T14:56:41.648Z
Learning: Implement Content Security Policy (CSP) headers to mitigate XSS and other content injection attacks

Applied to files:

• .env.example
• client/apps/webapp/security-headers.conf.template

🪛 dotenv-linter (4.0.0)

.env.example

[warning] 99-99: [UnorderedKey] The CSP_CONNECT_SRC key should go before the CSP_SCRIPT_SRC key

(UnorderedKey)

---

[warning] 100-100: [UnorderedKey] The CSP_OBJECT_SRC key should go before the CSP_SCRIPT_SRC key

(UnorderedKey)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: 🎭 E2E Tests (Playwright) (chromium)
• GitHub Check: 🎭 E2E Tests (Playwright) (webkit)
• GitHub Check: 🎭 E2E Tests (Playwright) (firefox)
• GitHub Check: Frontend Build & Test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: qodana
• GitHub Check: Analyze (java-kotlin)
• GitHub Check: Cloudflare Pages

🔇 Additional comments (7)

client/apps/webapp/Dockerfile (1)

88-93: LGTM with security advisory.

The CSP_OBJECT_SRC environment variable is properly configured with sensible defaults. The comment clearly documents both the permissive default and the strict alternative.

Security consideration: The default 'self' blob: enables blob URLs, which allow the application to create object URLs from arbitrary data. Ensure that:

1. Blob URL creation in your PDF preview logic validates and sanitizes all input
2. Only trusted, application-generated PDFs are rendered via blob URLs
3. User-uploaded content rendered as blobs could enable data exfiltration or content injection

If PDF preview functionality isn't needed in all environments, consider setting CSP_OBJECT_SRC="'none'" in production and enabling blob: only where required.

Based on learnings, this aligns with implementing Content Security Policy headers to mitigate XSS and content injection attacks.

client/apps/webapp/security-headers.conf.template (2)

9-10: Clear documentation for CSP_OBJECT_SRC usage.

The template comments effectively document the purpose and security implications of the CSP_OBJECT_SRC directive, providing both permissive and strict examples.

Based on learnings, this aligns with implementing Content Security Policy headers to mitigate XSS and content injection attacks.

---

15-15: Proper variable substitution for object-src directive.

The Content-Security-Policy header correctly uses ${CSP_OBJECT_SRC} for runtime substitution, maintaining consistency with other CSP directives (script-src, style-src, connect-src).

client/apps/webapp/docker-entrypoint.sh (4)

28-28: Proper validation for CSP_OBJECT_SRC.

The pre-check correctly validates that CSP_OBJECT_SRC is set, maintaining consistency with other required CSP environment variables.

---

38-38: Clear error guidance for CSP_OBJECT_SRC.

The error message provides helpful context including the example value 'self' blob: for PDF preview, making it easy for operators to understand the purpose and configure correctly.

---

49-49: CSP_OBJECT_SRC included in environment summary.

The environment variable is properly logged during startup, aiding in troubleshooting and verification.

---

52-53: Complete envsubst configuration.

CSP_OBJECT_SRC is correctly included in both envsubst invocations, ensuring the variable is substituted in both nginx.conf.template and security-headers.conf.template. This completes the configuration chain from environment variable to runtime configuration.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Well-documented CSP_OBJECT_SRC configuration.

The documentation clearly explains the purpose of CSP_OBJECT_SRC, providing context for both the permissive default ('self' blob:) for PDF previews and the strict alternative ('none').

The static analysis warning about key ordering is purely cosmetic. If you want to maintain alphabetical ordering for easier scanning, consider reordering the CSP variables alphabetically:

🔎 Optional style improvement

 CSP_SCRIPT_SRC="'self' 'unsafe-inline'"
 CSP_STYLE_SRC="'self' 'unsafe-inline'"
-CSP_CONNECT_SRC="'self' https://api.example.com https://auth.example.com"
-CSP_OBJECT_SRC="'self' blob:"
+CSP_CONNECT_SRC="'self' https://api.example.com https://auth.example.com"
+CSP_OBJECT_SRC="'self' blob:"

However, the current grouping (keeping related CSP directives together) is also reasonable and may be more intuitive than strict alphabetization.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 dotenv-linter (4.0.0)

[warning] 99-99: [UnorderedKey] The CSP_CONNECT_SRC key should go before the CSP_SCRIPT_SRC key

(UnorderedKey)

---

[warning] 100-100: [UnorderedKey] The CSP_OBJECT_SRC key should go before the CSP_SCRIPT_SRC key

(UnorderedKey)

🤖 Prompt for AI Agents

.env.example lines 95-100: static analysis flagged CSP key ordering as a
cosmetic issue; to satisfy the linter, reorder the CSP_* variables
alphabetically (e.g., CSP_CONNECT_SRC, CSP_OBJECT_SRC, CSP_SCRIPT_SRC,
CSP_STYLE_SRC) while keeping the existing values and comments unchanged.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.32%. Comparing base (f7bb881) to head (fbd3ecf).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #464   +/-   ##
=======================================
  Coverage   77.32%   77.32%           
=======================================
  Files          90       90           
  Lines        3370     3370           
  Branches      894      893    -1     
=======================================
  Hits         2606     2606           
  Misses        674      674           
  Partials       90       90           

Flag	Coverage Δ
frontend	77.32% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Qodana for JVM

77 new problems were found

Inspection name	Severity	Problems
Unused symbol	🔶 Warning	43
Invalid YAML configuration	🔶 Warning	6
Potentially ambiguous 'kotlin.coroutine.coroutineContext' usage	🔶 Warning	4
Unresolved reference in KDoc	🔶 Warning	2
Redundant qualifier name	🔶 Warning	2
Unstable API Usage	🔶 Warning	2
Unknown HTTP header	◽️ Notice	10
Duplicated code fragment	◽️ Notice	2
Unnecessary type argument	◽️ Notice	2
Multi-dollar interpolation can be used in string literals (available since 2.1)	◽️ Notice	1
String concatenation that can be converted to string template	◽️ Notice	1
If-Null return/break/... foldable to '?:'	◽️ Notice	1
Vulnerable declared dependency	◽️ Notice	1

☁️ View the detailed Qodana report

Contact Qodana team

Contact us at [email protected]

• Or via our issue tracker: https://jb.gg/qodana-issue
• Or share your feedback: https://jb.gg/qodana-discussions