Ling0925
/
buster
mirror of https://github.com/buster-so/buster.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update Next.js CSP to include public URL origin for frame sources 

Co-authored-by: nate <nate@buster.so>
This commit is contained in:
Cursor Agent 2025-08-22 02:08:22 +00:00
parent 3d2909cc16
commit 0a39ceb662
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apps/web/next.config.mjs
View File

@ -9,6 +9,7 @@ const __dirname = dirname(__filename);
const apiUrl = new URL(env.NEXT_PUBLIC_API_URL).origin;
const api2Url = new URL(env.NEXT_PUBLIC_API2_URL).origin;
const profilePictureURL = 'https://googleusercontent.com';
const publicUrlOrigin = new URL(env.NEXT_PUBLIC_URL).origin;
// Derive Supabase origins (HTTP and WS) from env so CSP allows them in all modes
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
@ -44,7 +45,7 @@ const createCspHeader = (isEmbed = false) => {
? `frame-ancestors 'self' *`
: "frame-ancestors 'none'",
// Frame sources - allow embeds from accepted domains
"frame-src 'self' https://vercel.live https://*.twitter.com https://twitter.com https://*.x.com https://x.com https://*.youtube.com https://youtube.com https://*.youtube-nocookie.com https://youtube-nocookie.com https://*.youtu.be https://youtu.be https://*.vimeo.com https://vimeo.com",
"frame-src 'self' https://vercel.live https://*.twitter.com https://twitter.com https://*.x.com https://x.com https://*.youtube.com https://youtube.com https://*.youtube-nocookie.com https://youtube-nocookie.com https://*.youtu.be https://youtu.be https://*.vimeo.com https://vimeo.com ${publicUrlOrigin}",
// Connect sources for API calls
(() => {
const connectSources = [