--disable-api-nodes now sets CSP header to force frontend offline. (#10829)

2025-12-16 01:37:04 +08:00 · 2025-11-21 14:51:55 -08:00 · 2025-11-21 14:51:55 -08:00 · 532938b16b
commit 532938b16b
parent ecb683b057
2 changed files with 20 additions and 1 deletions
--- a/comfy/cli_args.py
+++ b/comfy/cli_args.py
@ -160,7 +160,7 @@ parser.add_argument("--windows-standalone-build", action="store_true", help="Win
 parser.add_argument("--disable-metadata", action="store_true", help="Disable saving prompt metadata in files.")
 parser.add_argument("--disable-all-custom-nodes", action="store_true", help="Disable loading all custom nodes.")
 parser.add_argument("--whitelist-custom-nodes", type=str, nargs='+', default=[], help="Specify custom node folders to load even when --disable-all-custom-nodes is enabled.")
-parser.add_argument("--disable-api-nodes", action="store_true", help="Disable loading all api nodes.")
+parser.add_argument("--disable-api-nodes", action="store_true", help="Disable loading all api nodes. Also prevents the frontend from communicating with the internet.")

 parser.add_argument("--multi-user", action="store_true", help="Enables per-user storage.")

--- a/server.py
+++ b/server.py
@ -164,6 +164,22 @@ def create_origin_only_middleware():

    return origin_only_middleware

+
+def create_block_external_middleware():
+    @web.middleware
+    async def block_external_middleware(request: web.Request, handler):
+        if request.method == "OPTIONS":
+            # Pre-flight request. Reply successfully:
+            response = web.Response()
+        else:
+            response = await handler(request)
+
+        response.headers['Content-Security-Policy'] = "default-src 'self'; script-src 'self' 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; frame-src 'self'; object-src 'self';"
+        return response
+
+    return block_external_middleware
+
+
 class PromptServer():
    def __init__(self, loop):
        PromptServer.instance = self
@ -193,6 +209,9 @@ class PromptServer():
        else:
            middlewares.append(create_origin_only_middleware())

+        if args.disable_api_nodes:
+            middlewares.append(create_block_external_middleware())
+
        max_upload_size = round(args.max_upload_size * 1024 * 1024)
        self.app = web.Application(client_max_size=max_upload_size, middlewares=middlewares)
        self.sockets = dict()