From e7fab851945892f609bae88f271313cc3bdbb578 Mon Sep 17 00:00:00 2001
From: Jackson Harper <jacksonh@gmail.com>
Date: Tue, 13 Jun 2023 22:12:32 +0800
Subject: [PATCH 1/5] Update CSP move it into next config

---
 packages/web/next.config.js | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/packages/web/next.config.js b/packages/web/next.config.js
index 19fd0aacf..1ef122c74 100644
--- a/packages/web/next.config.js
+++ b/packages/web/next.config.js
@@ -1,3 +1,17 @@
+const ContentSecurityPolicy = `
+  default-src 'none';
+  base-uri 'self';
+  block-all-mixed-content;
+  connect-src 'self' api-prod.omnivore.app api-demo.omnivore.app;
+  font-src 'self';
+  form-action 'self' api-prod.omnivore.app api-demo.omnivore.app;
+  frame-ancestors 'none';
+  frame-src 'none';
+  manifest-src 'self';
+  script-src script-src 'self' 'unsafe-inline';
+  style-src 'self' 'unsafe-inline';
+`
+
 const moduleExports = {
   images: {
     domains: [
@@ -24,6 +38,12 @@ const moduleExports = {
       destination: `https://api-${process.env.NEXT_PUBLIC_APP_ENV}.omnivore.app/api/mobile-auth/:path*`,
     },
   ],
+  Headers: [
+    {
+      key: 'Content-Security-Policy',
+      value: ContentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
+    },
+  ],
   async redirects() {
     return [
       {

From 19493e969fd21dc1b058475810e90b6db7cda50d Mon Sep 17 00:00:00 2001
From: Jackson Harper <jacksonh@gmail.com>
Date: Wed, 14 Jun 2023 11:29:56 +0800
Subject: [PATCH 2/5] Add a few more CSP directives

---
 packages/web/next.config.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/web/next.config.js b/packages/web/next.config.js
index 1ef122c74..bbda2f6cb 100644
--- a/packages/web/next.config.js
+++ b/packages/web/next.config.js
@@ -2,7 +2,7 @@ const ContentSecurityPolicy = `
   default-src 'none';
   base-uri 'self';
   block-all-mixed-content;
-  connect-src 'self' api-prod.omnivore.app api-demo.omnivore.app;
+  connect-src 'self' api-prod.omnivore.app api-demo.omnivore.app proxy-prod.omnivore-image-cache.app proxy-demo.omnivore-image-cache.app api.segment.io cdn.segment.com widget.intercom.io api-iam.intercom.io wss://nexus-websocket-a.intercom.io platform.twitter.com;
   font-src 'self';
   form-action 'self' api-prod.omnivore.app api-demo.omnivore.app;
   frame-ancestors 'none';
@@ -10,6 +10,8 @@ const ContentSecurityPolicy = `
   manifest-src 'self';
   script-src script-src 'self' 'unsafe-inline';
   style-src 'self' 'unsafe-inline';
+  img-src 'self';
+  manifest-src 'self';
 `
 
 const moduleExports = {

From 4d8c15ebd01a09021e1a9edd5a5fb463df80e08f Mon Sep 17 00:00:00 2001
From: Jackson Harper <jacksonh@gmail.com>
Date: Wed, 14 Jun 2023 12:31:19 +0800
Subject: [PATCH 3/5] Update CSP

---
 packages/web/next.config.js | 37 ++++++++++++++++++++++---------------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/packages/web/next.config.js b/packages/web/next.config.js
index bbda2f6cb..b0baa8b2c 100644
--- a/packages/web/next.config.js
+++ b/packages/web/next.config.js
@@ -1,17 +1,17 @@
 const ContentSecurityPolicy = `
-  default-src 'none';
+  default-src 'self';
   base-uri 'self';
   block-all-mixed-content;
-  connect-src 'self' api-prod.omnivore.app api-demo.omnivore.app proxy-prod.omnivore-image-cache.app proxy-demo.omnivore-image-cache.app api.segment.io cdn.segment.com widget.intercom.io api-iam.intercom.io wss://nexus-websocket-a.intercom.io platform.twitter.com;
-  font-src 'self';
-  form-action 'self' api-prod.omnivore.app api-demo.omnivore.app;
+  connect-src 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL} proxy-prod.omnivore-image-cache.app proxy-demo.omnivore-image-cache.app storage.googleapis.com api.segment.io cdn.segment.com widget.intercom.io api-iam.intercom.io wss://nexus-websocket-a.intercom.io platform.twitter.com;
+  font-src 'self' data: cdn.jsdelivr.net;
+  form-action 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL};
   frame-ancestors 'none';
-  frame-src 'none';
-  manifest-src 'self';
-  script-src script-src 'self' 'unsafe-inline';
-  style-src 'self' 'unsafe-inline';
-  img-src 'self';
+  frame-src accounts.google.com platform.twitter.com;
   manifest-src 'self';
+  script-src 'self' 'unsafe-inline' 'unsafe-eval' accounts.google.com widget.intercom.io js.intercomcdn.com platform.twitter.com cdnjs.cloudflare.com cdn.jsdelivr.net;
+  style-src 'self' 'unsafe-inline' accounts.google.com cdnjs.cloudflare.com;
+  img-src 'self' blob: data: https:;
+  worker-src 'self' blob:;
 `
 
 const moduleExports = {
@@ -40,12 +40,19 @@ const moduleExports = {
       destination: `https://api-${process.env.NEXT_PUBLIC_APP_ENV}.omnivore.app/api/mobile-auth/:path*`,
     },
   ],
-  Headers: [
-    {
-      key: 'Content-Security-Policy',
-      value: ContentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
-    },
-  ],
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: ContentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
+          },
+        ],
+      },
+    ]
+  },
   async redirects() {
     return [
       {

From 8e171539b145511838671903d1c557d86a09fd70 Mon Sep 17 00:00:00 2001
From: Jackson Harper <jacksonh@gmail.com>
Date: Fri, 16 Jun 2023 13:38:27 +0800
Subject: [PATCH 4/5] Add segment

---
 packages/web/next.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/web/next.config.js b/packages/web/next.config.js
index b0baa8b2c..0147e9973 100644
--- a/packages/web/next.config.js
+++ b/packages/web/next.config.js
@@ -8,7 +8,7 @@ const ContentSecurityPolicy = `
   frame-ancestors 'none';
   frame-src accounts.google.com platform.twitter.com;
   manifest-src 'self';
-  script-src 'self' 'unsafe-inline' 'unsafe-eval' accounts.google.com widget.intercom.io js.intercomcdn.com platform.twitter.com cdnjs.cloudflare.com cdn.jsdelivr.net;
+  script-src 'self' 'unsafe-inline' 'unsafe-eval' accounts.google.com widget.intercom.io js.intercomcdn.com platform.twitter.com cdnjs.cloudflare.com cdn.jsdelivr.net cdn.segment.com;
   style-src 'self' 'unsafe-inline' accounts.google.com cdnjs.cloudflare.com;
   img-src 'self' blob: data: https:;
   worker-src 'self' blob:;

From 174f865a470e724c2f133a57c8d05f117c47951e Mon Sep 17 00:00:00 2001
From: Jackson Harper <jacksonh@gmail.com>
Date: Fri, 16 Jun 2023 13:52:49 +0800
Subject: [PATCH 5/5] Add youtube-nocookie to CSP

---
 packages/web/next.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/web/next.config.js b/packages/web/next.config.js
index 0147e9973..aa52c8144 100644
--- a/packages/web/next.config.js
+++ b/packages/web/next.config.js
@@ -6,7 +6,7 @@ const ContentSecurityPolicy = `
   font-src 'self' data: cdn.jsdelivr.net;
   form-action 'self' ${process.env.NEXT_PUBLIC_SERVER_BASE_URL};
   frame-ancestors 'none';
-  frame-src accounts.google.com platform.twitter.com;
+  frame-src accounts.google.com platform.twitter.com www.youtube-nocookie.com;
   manifest-src 'self';
   script-src 'self' 'unsafe-inline' 'unsafe-eval' accounts.google.com widget.intercom.io js.intercomcdn.com platform.twitter.com cdnjs.cloudflare.com cdn.jsdelivr.net cdn.segment.com;
   style-src 'self' 'unsafe-inline' accounts.google.com cdnjs.cloudflare.com;