mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 23:21:44 -05:00
[PR #24512] [CLOSED] feat: add configurable artifact CSP support #98733
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24512
Author: @michaellrowley
Created: 5/9/2026
Status: ❌ Closed
Base:
dev← Head:owui-artifact-csp-support📝 Commits (1)
1e26013feat: add configurable artifact CSP support📊 Changes
6 files changed (+78 additions, -4 deletions)
View changed files
📝
backend/open_webui/config.py(+6 -0)📝
backend/open_webui/main.py(+5 -0)📝
backend/open_webui/routers/auths.py(+4 -0)📝
src/lib/components/admin/Settings/General.svelte(+17 -0)📝
src/lib/components/chat/Artifacts.svelte(+42 -4)📝
src/lib/stores/index.ts(+4 -0)📄 Description
Pull Request Checklist
Note to first-time contributors: Please open a discussion post in Discussions to discuss your idea/fix with the community before creating a pull request, and describe your changes before submitting a pull request.
This is to ensure large feature PRs are discussed with the community first, before starting work on it. If the community does not want this feature or it is not relevant for Open WebUI as a project, it can be identified in the discussion before working on the feature and submitting the PR.
Before submitting, make sure you've checked the following:
devbranch. PRs targetingmainwill be immediately closed.Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
Design & Architecture: Prefer smart defaults over adding new settings; use local state for ephemeral UI logic. Open a Discussion for major architectural or UX changes.
Git Hygiene: Keep PRs atomic (one logical change). Clean up commits and rebase on
devto ensure no unrelated commits (e.g. frommain) are included. Push updates to the existing PR branch instead of closing and reopening.Title Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
Changelog Entry
Description
This pull request introduces support for configuring a Content Security Policy (CSP) specifically for artifact iframe previews in OpenWebUI. The new setting can be managed via environment variables, the admin UI, and API, and is injected into artifact iframes to enhance security. The implementation includes backend configuration, admin interface updates, frontend injection logic, and comprehensive tests.
These changes collectively improve the security and configurability of artifact previews in OpenWebUI.
Added
src/lib/components/admin/Settings/General.svelte)ARTIFACT_CONTENT_SECURITY_POLICYenvironment variable and backend config option to control the CSP for artifact iframes. This value is exposed in both general and admin config APIs. (.env.example,backend/open_webui/config.py,backend/open_webui/main.py.applyArtifactContentSecurityPolicyutility to inject or replace the CSP meta tag in artifact iframe HTML, ensuring the configured policy is always applied. (src/lib/utils/artifacts.ts)src/lib/utils/artifacts.test.ts)Changed
src/lib/stores/index.ts, (src/lib/stores/index.ts).src/lib/components/chat/Artifacts.svelte)Deprecated
None
Removed
None
Fixed
N/A
Security
Breaking Changes
None AFAIK; by default, the setting is initialized as an empty string, which should default to browser default.
Additional Information
Screenshots or Videos
CSP configuration is at the bottom of the first screenshot in each of the below 'note' sections.
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.