Spaces:
Running
Running
Space: send upgrade-insecure-requests as response header (meta too late for Gradio's early theme.css link)
Browse files
app.py
CHANGED
|
@@ -104,6 +104,20 @@ with gr.Blocks(title="Tiny Army") as demo:
|
|
| 104 |
|
| 105 |
# Mount Gradio on FastAPI so we can also serve the JS module + the sprite assets.
|
| 106 |
fastapi_app = FastAPI()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 107 |
fastapi_app.mount("/web", StaticFiles(directory=WEB), name="web")
|
| 108 |
# NOTE: serve sprite assets at /sprites, NOT /assets — Gradio serves its own UI
|
| 109 |
# bundle from /assets, and mounting there shadows it (breaks the whole UI).
|
|
|
|
| 104 |
|
| 105 |
# Mount Gradio on FastAPI so we can also serve the JS module + the sprite assets.
|
| 106 |
fastapi_app = FastAPI()
|
| 107 |
+
|
| 108 |
+
|
| 109 |
+
# Behind HF's custom-domain proxy Gradio emits its theme.css <link> as http://
|
| 110 |
+
# (the app doesn't see HTTPS), and that link is in the HTML *before* our head=
|
| 111 |
+
# meta — so a meta CSP can't upgrade it in time. Sending the CSP as a response
|
| 112 |
+
# HEADER governs the whole document regardless of in-page order, so the browser
|
| 113 |
+
# upgrades the http theme.css (and any other mixed content) to https.
|
| 114 |
+
@fastapi_app.middleware("http")
|
| 115 |
+
async def upgrade_insecure(request, call_next):
|
| 116 |
+
resp = await call_next(request)
|
| 117 |
+
resp.headers["Content-Security-Policy"] = "upgrade-insecure-requests"
|
| 118 |
+
return resp
|
| 119 |
+
|
| 120 |
+
|
| 121 |
fastapi_app.mount("/web", StaticFiles(directory=WEB), name="web")
|
| 122 |
# NOTE: serve sprite assets at /sprites, NOT /assets — Gradio serves its own UI
|
| 123 |
# bundle from /assets, and mounting there shadows it (breaks the whole UI).
|