fix(csp): allow *.publicnode.com + explicit mainnet RPC to stop eth.merkle.io CSP errors

Shaw · claude · Shaw · commit 9fd9e37e3d18 · 2026-05-21T05:10:25.000-04:00
wagmi's http() transport with no URL falls back to eth.merkle.io for Ethereum mainnet, which was not in the CSP connect-src and caused a flood of blocked-connection errors on every page that loads the wallet stack (including /bsc). Fix: provide explicit https://eth.publicnode.com as the mainnet fallback transport so the RPC is deterministic and CSP-controllable. Expand the single https://base-rpc.publicnode.com entry in _headers to https://*.publicnode.com, covering mainnet + Base + BSC publicnode RPCs without adding bytes (CSP stays at 1738 chars, under the 1900 Cloudflare Pages limit). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/packages/cloud-frontend/public/_headers b/packages/cloud-frontend/public/_headers
@@ -12,7 +12,7 @@
 # cross-origin calls but the canonical path is /api/* through the Function.
 
 /*
-  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.r2.cloudflarestorage.com https://raw.githubusercontent.com https://*.fbcdn.net https://*.cdninstagram.com https://images.unsplash.com https://pbs.twimg.com https://abs.twimg.com https://cdn.discordapp.com; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self' https://oauth.telegram.org; frame-ancestors 'self'; child-src 'self' https://elizacloud.ai https://*.steward.fi https://verify.walletconnect.com https://verify.walletconnect.org https://challenges.cloudflare.com https://oauth.telegram.org https://www.youtube.com https://youtube.com; frame-src 'self' https://elizacloud.ai https://*.steward.fi https://verify.walletconnect.com https://verify.walletconnect.org https://challenges.cloudflare.com https://oauth.telegram.org https://www.youtube.com https://youtube.com; connect-src 'self' https://elizacloud.ai https://api.elizacloud.ai https://base-rpc.publicnode.com https://bsc-dataseed.binance.org https://api.mainnet-beta.solana.com https://*.walletconnect.com https://*.walletconnect.org wss://*.walletconnect.com wss://*.walletconnect.org https://challenges.cloudflare.com https://*.steward.fi https://*.helius-rpc.com https://*.alchemy.com https://*.coinbase.com wss://*.coinbase.com https://*.web3modal.org https://*.web3modal.com https://*.reown.com https://*.phantom.app https://*.solflare.com; worker-src 'self' blob:; manifest-src 'self'; media-src 'self' data: blob: https://*.r2.cloudflarestorage.com https://video-placeholder.eliza.ai
+  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.r2.cloudflarestorage.com https://raw.githubusercontent.com https://*.fbcdn.net https://*.cdninstagram.com https://images.unsplash.com https://pbs.twimg.com https://abs.twimg.com https://cdn.discordapp.com; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self' https://oauth.telegram.org; frame-ancestors 'self'; child-src 'self' https://elizacloud.ai https://*.steward.fi https://verify.walletconnect.com https://verify.walletconnect.org https://challenges.cloudflare.com https://oauth.telegram.org https://www.youtube.com https://youtube.com; frame-src 'self' https://elizacloud.ai https://*.steward.fi https://verify.walletconnect.com https://verify.walletconnect.org https://challenges.cloudflare.com https://oauth.telegram.org https://www.youtube.com https://youtube.com; connect-src 'self' https://elizacloud.ai https://api.elizacloud.ai https://*.publicnode.com https://bsc-dataseed.binance.org https://api.mainnet-beta.solana.com https://*.walletconnect.com https://*.walletconnect.org wss://*.walletconnect.com wss://*.walletconnect.org https://challenges.cloudflare.com https://*.steward.fi https://*.helius-rpc.com https://*.alchemy.com https://*.coinbase.com wss://*.coinbase.com https://*.web3modal.org https://*.web3modal.com https://*.reown.com https://*.phantom.app https://*.solflare.com; worker-src 'self' blob:; manifest-src 'self'; media-src 'self' data: blob: https://*.r2.cloudflarestorage.com https://video-placeholder.eliza.ai
   X-Frame-Options: SAMEORIGIN
   X-Content-Type-Options: nosniff
   Referrer-Policy: strict-origin-when-cross-origin
diff --git a/packages/cloud-frontend/src/pages/login/steward-wallet-providers.tsx b/packages/cloud-frontend/src/pages/login/steward-wallet-providers.tsx
@@ -53,10 +53,10 @@ export function StewardWalletProviders({
         transports: {
           [mainnet.id]: alchemyKey
             ? http(`https://eth-mainnet.g.alchemy.com/v2/${alchemyKey}`)
-            : http(),
+            : http("https://eth.publicnode.com"),
           [base.id]: alchemyKey
             ? http(`https://base-mainnet.g.alchemy.com/v2/${alchemyKey}`)
-            : http(),
+            : http("https://base-rpc.publicnode.com"),
           [bsc.id]: http("https://bsc-dataseed.binance.org"),
         },
         ssr: false,
