From 6a55db07664bbabb66e3a1b8e3e66c4e6d6562b2 Mon Sep 17 00:00:00 2001
From: Andray <light.and.ray@gmail.com>
Date: Sun, 3 May 2026 08:49:42 +0400
Subject: [PATCH] fix comfy manager (--enable-manager) doesn't work when
 --disable-api-nodes is used (Content-Security-Policy error)

---
 server.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/server.py b/server.py
index 881da8e66..ddef6b1b4 100644
--- a/server.py
+++ b/server.py
@@ -192,8 +192,18 @@ def create_block_external_middleware():
             response = web.Response()
         else:
             response = await handler(request)
-
-        response.headers['Content-Security-Policy'] = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self' data:; frame-src 'self'; object-src 'self';"
+        connectSrc = "'self' data:"
+        if args.enable_manager:
+            connectSrc += " https://api.comfy.org"
+        response.headers['Content-Security-Policy'] = (
+            "default-src 'self'; "
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; "
+            "style-src 'self' 'unsafe-inline'; "
+            "img-src 'self' data: blob:; "
+            "font-src 'self'; "
+            f"connect-src {connectSrc}; "
+            "frame-src 'self'; "
+            "object-src 'self';")
         return response
 
     return block_external_middleware