Benature/omnivore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update CSP

Browse Source
This commit is contained in:
Jackson Harper
2023-06-14 12:31:19 +08:00
parent 19493e969f
commit 4d8c15ebd0
1 changed files with 22 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
packages/web/next.config.js
View File

@ -1,17 +1,17 @@
const ContentSecurityPolicy = `
default-src 'none';
default-src 'self';
base-uri 'self';
block-all-mixed-content;
connect-src 'self' api-prod.omnivore.app api-demo.omnivore.app proxy-prod.omnivore-image-cache.app proxy-demo.omnivore-image-cache.app api.segment.io cdn.segment.com widget.intercom.io api-iam.intercom.io wss://nexus-websocket-a.intercom.io platform.twitter.com;
font-src 'self';
form-action 'self' api-prod.omnivore.app api-demo.omnivore.app;
connect-src 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL} proxy-prod.omnivore-image-cache.app proxy-demo.omnivore-image-cache.app storage.googleapis.com api.segment.io cdn.segment.com widget.intercom.io api-iam.intercom.io wss://nexus-websocket-a.intercom.io platform.twitter.com;
font-src 'self' data: cdn.jsdelivr.net;
form-action 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL};
frame-ancestors 'none';
frame-src 'none';
manifest-src 'self';
script-src script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self';
frame-src accounts.google.com platform.twitter.com;
manifest-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval' accounts.google.com widget.intercom.io js.intercomcdn.com platform.twitter.com cdnjs.cloudflare.com cdn.jsdelivr.net;
style-src 'self' 'unsafe-inline' accounts.google.com cdnjs.cloudflare.com;
img-src 'self' blob: data: https:;
worker-src 'self' blob:;
`
const moduleExports = {
@ -40,12 +40,19 @@ const moduleExports = {
destination: `https://api-${process.env.NEXT_PUBLIC_APP_ENV}.omnivore.app/api/mobile-auth/:path*`,
},
],
Headers: [
{
key: 'Content-Security-Policy',
value: ContentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
},
],
async headers() {
return [
{
source: '/(.*)',
headers: [
{
key: 'Content-Security-Policy',
value: ContentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
},
],
},
]
},
async redirects() {
return [
{