From 98bdc822397023130c8684d4f28c5ba2914be054 Mon Sep 17 00:00:00 2001 From: Mike Cao Date: Wed, 1 Oct 2025 10:32:38 -0700 Subject: [PATCH 1/2] Updated CSP generation. --- next.config.ts | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/next.config.ts b/next.config.ts index 17705dc2..f0324e41 100644 --- a/next.config.ts +++ b/next.config.ts @@ -14,14 +14,14 @@ const frameAncestors = process.env.ALLOWED_FRAME_URLS || ''; const trackerScriptName = process.env.TRACKER_SCRIPT_NAME || ''; const trackerScriptURL = process.env.TRACKER_SCRIPT_URL || ''; -const contentSecurityPolicy = [ - `default-src 'self'`, - `img-src * data:`, - `script-src 'self' 'unsafe-eval' 'unsafe-inline'`, - `style-src 'self' 'unsafe-inline'`, - `connect-src 'self' api.umami.is cloud.umami.is`, - `frame-ancestors 'self' ${frameAncestors}`, -]; +const contentSecurityPolicy = ` + default-src 'self'; + img-src 'self' https: data:; + script-src 'self' 'unsafe-eval' 'unsafe-inline'; + style-src 'self' 'unsafe-inline'; + connect-src 'self' api.umami.is cloud.umami.is; + frame-ancestors 'self' ${frameAncestors}; +`; const defaultHeaders = [ { @@ -30,10 +30,7 @@ const defaultHeaders = [ }, { key: 'Content-Security-Policy', - value: contentSecurityPolicy - .join(';') - .replace(/\s{2,}/g, ' ') - .trim(), + value: contentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(), }, ]; From cd6ad0add26d118009ee28cc9f93c35df7ec5d3b Mon Sep 17 00:00:00 2001 From: Mike Cao Date: Wed, 1 Oct 2025 11:16:33 -0700 Subject: [PATCH 2/2] Updated CSP. --- next.config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/next.config.ts b/next.config.ts index f0324e41..6fac599e 100644 --- a/next.config.ts +++ b/next.config.ts @@ -19,7 +19,7 @@ const contentSecurityPolicy = ` img-src 'self' https: data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; - connect-src 'self' api.umami.is cloud.umami.is; + connect-src *; frame-ancestors 'self' ${frameAncestors}; `;