Update CSP for Cloudflare Insights and cleanup login

essesoul · essesoul · commit 9127e3909555 · 2025-10-23T17:55:53.000+08:00
Expanded Content Security Policy to allow Cloudflare Insights pixel and beacon for analytics. Also removed 'loggedOut' from localStorage after successful login or registration to ensure proper session state.
diff --git a/backend/app.py b/backend/app.py
@@ -72,11 +72,14 @@ def set_security_headers(resp):
         # Basic hardening; allow required third-party origins used in app
         csp_parts = [
             "default-src 'self'",
-            "img-src 'self' data:",
+            # Allow self + data URLs + Cloudflare Insights pixel if used
+            "img-src 'self' data: https://cloudflareinsights.com",
             "font-src 'self' https://cdnjs.cloudflare.com data:",
             "style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'",
-            "script-src 'self' https://cdnjs.cloudflare.com https://challenges.cloudflare.com 'unsafe-inline'",
-            "connect-src 'self'",
+            # Allow Cloudflare Turnstile + Cloudflare Insights beacon
+            "script-src 'self' https://cdnjs.cloudflare.com https://challenges.cloudflare.com https://static.cloudflareinsights.com 'unsafe-inline'",
+            # Permit outgoing analytics beacons
+            "connect-src 'self' https://cloudflareinsights.com",
             "frame-src 'self' https://challenges.cloudflare.com",
             "object-src 'none'",
             "base-uri 'self'",
diff --git a/backend/templates/login.html b/backend/templates/login.html
@@ -140,6 +140,7 @@ <h4 class="modal-title" id="fpTitle" style="margin:0">找回密码</h4>
         const password = document.getElementById('password').value;
         try{
           await post('/api/auth/login', { email, password });
+          try{ localStorage.removeItem('loggedOut'); }catch{}
           location.href = '/';
         }catch(e){ msg.textContent = '登录失败：'+e.message }
       }
@@ -150,6 +151,7 @@ <h4 class="modal-title" id="fpTitle" style="margin:0">找回密码</h4>
           const password = document.getElementById('password').value;
           try{
             await post('/api/auth/register', { email, password });
+            try{ localStorage.removeItem('loggedOut'); }catch{}
             location.href = '/';
           }catch(e){ msg.textContent = '注册失败：'+e.message }
         };
