Ling0925
/
buster
mirror of https://github.com/buster-so/buster.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refactor csp policy

This commit is contained in:
Nate Kelley 2025-04-01 12:58:24 -06:00
parent 0091f308c3
commit 14e5047af6
No known key found for this signature in database
GPG Key ID: FD90372AB8D98B4F
1 changed files with 41 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
web/next.config.mjs
View File

@ -5,6 +5,45 @@ import { dirname } from 'path';
const __filename = fileURLToPath(import.meta.url); const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename); const __dirname = dirname(__filename);
// Function to create CSP header with dynamic API URLs
const createCspHeader = (isEmbed = false) => {
const apiUrl = process.env.NEXT_PUBLIC_API_URL
? new URL(process.env.NEXT_PUBLIC_API_URL).origin
: '';
const wsUrl = process.env.NEXT_PUBLIC_WEB_SOCKET_URL
? new URL(process.env.NEXT_PUBLIC_WEB_SOCKET_URL).origin
.replace('https', 'wss')
.replace('http', 'ws')
: '';
return [
// Default directives
"default-src 'self'",
// Scripts
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://*.vercel.app https://cdn.jsdelivr.net https://*.cloudflareinsights.com",
// Styles
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net",
// Images
"img-src 'self' blob: data: https://*.vercel.app https://*.supabase.co",
// Fonts
"font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net",
// Frame ancestors
isEmbed ? `frame-ancestors 'self' *` : "frame-ancestors 'none'",
// Connect sources for API calls
`connect-src 'self' http://127.0.0.1:* ws://127.0.0.1:* https://*.vercel.app https://*.supabase.co wss://*.supabase.co https://*.onporter.run wss://*.onporter.run ${apiUrl} ${wsUrl}`.trim(),
// Media
"media-src 'self'",
// Object
"object-src 'none'",
// Form actions
"form-action 'self'",
// Base URI
"base-uri 'self'",
// Manifest
"manifest-src 'self'"
].join('; ');
};
/** @type {import('next').NextConfig} */ /** @type {import('next').NextConfig} */
const nextConfig = { const nextConfig = {
reactStrictMode: false, reactStrictMode: false,
@ -26,7 +65,7 @@ const nextConfig = {
headers: [ headers: [
{ {
key: 'Content-Security-Policy', key: 'Content-Security-Policy',
value: defaultCspHeader value: createCspHeader(false)
} }
] ]
}, },
@ -35,7 +74,7 @@ const nextConfig = {
headers: [ headers: [
{ {
key: 'Content-Security-Policy', key: 'Content-Security-Policy',
value: embedCspHeader value: createCspHeader(true)
} }
] ]
} }
@ -44,57 +83,3 @@ const nextConfig = {
}; };
export default nextConfig; export default nextConfig;
const defaultCspHeader = [
// Default directives
"default-src 'self'",
// Scripts
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://*.vercel.app https://cdn.jsdelivr.net",
// Styles
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net",
// Images
"img-src 'self' blob: data: https://*.vercel.app https://*.supabase.co",
// Fonts
"font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net",
// Frame ancestors - no embedding for non-embed routes
"frame-ancestors 'none'",
// Connect sources for API calls
"connect-src 'self' http://127.0.0.1:* ws://127.0.0.1:* https://*.vercel.app https://*.supabase.co wss://*.supabase.co",
// Media
"media-src 'self'",
// Object
"object-src 'none'",
// Form actions
"form-action 'self'",
// Base URI
"base-uri 'self'",
// Manifest
"manifest-src 'self'"
].join('; ');
const embedCspHeader = [
// Default directives
"default-src 'self'",
// Scripts
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://*.vercel.app https://cdn.jsdelivr.net",
// Styles
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net",
// Images
"img-src 'self' blob: data: https://*.vercel.app https://*.supabase.co",
// Fonts
"font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net",
// Frame ancestors - allow embedding from any domain for /embed routes
`frame-ancestors 'self' *`,
// Connect sources for API calls
"connect-src 'self' http://127.0.0.1:* ws://127.0.0.1:* https://*.vercel.app https://*.supabase.co wss://*.supabase.co",
// Media
"media-src 'self'",
// Object
"object-src 'none'",
// Form actions
"form-action 'self'",
// Base URI
"base-uri 'self'",
// Manifest
"manifest-src 'self'"
].join('; ');