app.py

@@ -60,15 +60,16 @@ from pytesseract import Output
 app = Flask(__name__)
 app.config.from_object(Config)
 
-
 # Konfiguracja nagłówków bezpieczeństwa z .env
 csp_policy = None
 if app.config.get("ENABLE_CSP", True):
     csp_policy = {
         'default-src': "'self'",
-        'script-src': "'self'",
-        'style-src': "'self'",
-        'connect-src': "'self'",
+        'script-src': "'self'",  # wciąż bez inline JS
+        'style-src': "'self' 'unsafe-inline'",  # dopuszczamy style w HTML-u
+        'img-src': "'self' data:",  # pozwalamy na data:image (np. SVG)
+        'connect-src': "'self'",  # WebSockety
+        'script-src': "'self' 'unsafe-inline'"
     }
 
 talisman = Talisman(
@@ -80,7 +81,6 @@ talisman = Talisman(
     x_content_type_options=app.config.get("ENABLE_XCTO", True),
 )
 
-
 register_heif_opener()  # pillow_heif dla HEIC
 
 ALLOWED_EXTENSIONS = {"png", "jpg", "jpeg", "gif", "webp", "heic"}