From 0a39ceb662ac706a980bb658514179f3cbc661e4 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Fri, 22 Aug 2025 02:08:22 +0000
Subject: [PATCH] Update Next.js CSP to include public URL origin for frame
 sources

Co-authored-by: nate <nate@buster.so>
---
 apps/web/next.config.mjs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/web/next.config.mjs b/apps/web/next.config.mjs
index ae775b010..e7b1561be 100644
--- a/apps/web/next.config.mjs
+++ b/apps/web/next.config.mjs
@@ -9,6 +9,7 @@ const __dirname = dirname(__filename);
 const apiUrl = new URL(env.NEXT_PUBLIC_API_URL).origin;
 const api2Url = new URL(env.NEXT_PUBLIC_API2_URL).origin;
 const profilePictureURL = 'https://googleusercontent.com';
+const publicUrlOrigin = new URL(env.NEXT_PUBLIC_URL).origin;
 
 // Derive Supabase origins (HTTP and WS) from env so CSP allows them in all modes
 const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
@@ -44,7 +45,7 @@ const createCspHeader = (isEmbed = false) => {
         ? `frame-ancestors 'self' *`
         : "frame-ancestors 'none'",
     // Frame sources - allow embeds from accepted domains
-    "frame-src 'self' https://vercel.live https://*.twitter.com https://twitter.com https://*.x.com https://x.com https://*.youtube.com https://youtube.com https://*.youtube-nocookie.com https://youtube-nocookie.com https://*.youtu.be https://youtu.be https://*.vimeo.com https://vimeo.com",
+    "frame-src 'self' https://vercel.live https://*.twitter.com https://twitter.com https://*.x.com https://x.com https://*.youtube.com https://youtube.com https://*.youtube-nocookie.com https://youtube-nocookie.com https://*.youtu.be https://youtu.be https://*.vimeo.com https://vimeo.com ${publicUrlOrigin}",
     // Connect sources for API calls
     (() => {
       const connectSources = [