Describe the Bug

Full page archives created by monolith render without any CSS styling. Monolith inlines stylesheets as data:text/css;base64,... URIs, but the CSP header sent when serving assets via /api/assets/* is:

style-src 'unsafe-inline' https:

This blocks data: URI stylesheets. The browser console shows repeated errors like:

Loading the stylesheet 'data:text/css;charset=utf-8;base64,...' violates the following Content Security Policy directive: "style-src 'unsafe-inline' https:". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback. The action has been blocked.

The fix is to add data: to the style-src directive when serving archived assets:

style-src 'unsafe-inline' https: data:

Same likely applies to font-src and img-src since monolith also inlines fonts and images as data URIs.

Steps to Reproduce

Example site that reproduces this: https://openrocket.info

1. Enable CRAWLER_FULL_PAGE_ARCHIVE=true
2. Bookmark any page with external CSS (most sites)
3. Wait for crawl to complete
4. Open the bookmark, go to "Offline copies", view the full page archive
5. Page renders unstyled — open browser console to see CSP violations

Expected Behaviour

The full page archive should render with CSS intact, since monolith has already inlined all styles.

Exact Karakeep Version

0.31.0

Screenshots or Additional Context

No response

Device Details

Chrome/Chromium

Environment Details

Docker Compose, reverse proxied via nginx

Debug Logs

No response

Troubleshooting Docs

• I have reviewed the troubleshooting docs

Workaround

Override the CSP header at the reverse proxy level for /api/assets, adding data: to style-src, img-src, and font-src.