fix:use signed R2 URLs for uploaded media

- uploadToR2 now returns storage path instead of a: full URL. - Generate signed R2 URLs (24h expiration) for images, thumbnails, and videos in media processor and when loading finds. - Update CSP to allow *.r2.cloudflarestorage.com for img-src
2025-10-10 13:38:08 +02:00
parent e0f5595e88
commit 1d858e40e1
4 changed files with 51 additions and 10 deletions
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -50,7 +50,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 			"worker-src 'self' blob:; " +
 			"style-src 'self' 'unsafe-inline' fonts.googleapis.com; " +
 			"font-src 'self' fonts.gstatic.com; " +
-			"img-src 'self' data: blob: *.openstreetmap.org *.tile.openstreetmap.org pub-6495d15c9d09b19ddc65f0a01892a183.r2.dev; " +
+			"img-src 'self' data: blob: *.openstreetmap.org *.tile.openstreetmap.org *.r2.cloudflarestorage.com; " +
 			"connect-src 'self' *.openstreetmap.org; " +
 			"frame-ancestors 'none'; " +
 			"base-uri 'self'; " +