Merge pull request #1972 from visualize-admin/fix/csp-adjustments

adintegra · web-flow · commit 0840dce7479e · 2025-01-14T14:16:50.000+01:00
fix: Updated CSP headers
diff --git a/app/next.config.js b/app/next.config.js
@@ -55,14 +55,18 @@ module.exports = withPreconstruct(
           headers[0].headers.push({
             key: "Content-Security-Policy",
             value: [
-              `default-src 'self' 'unsafe-inline'${process.env.NODE_ENV === "development" ? " 'unsafe-eval'" : ""} https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com`,
-              `script-src 'self' 'unsafe-inline'${process.env.NODE_ENV === "development" ? " 'unsafe-eval'" : ""} https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com`,
+              `default-src 'self' 'unsafe-inline'${
+                process.env.NODE_ENV === "development" ? " 'unsafe-eval'" : ""
+              } https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com`,
+              `script-src 'self' 'unsafe-inline'${
+                process.env.NODE_ENV === "development" ? " 'unsafe-eval'" : ""
+              } https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com`,
               `style-src 'self' 'unsafe-inline'`,
               `font-src 'self'`,
               `form-action 'self'`,
-              `connect-src 'self' https://*.sentry.io https://*.vercel.app https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com wss://*.pusher.com https://*.ldbar.ch`,
+              `connect-src 'self' https://*.admin.ch https://*.sentry.io https://*.vercel.app https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com wss://*.pusher.com https://*.ldbar.ch`,
               `img-src 'self' https://vercel.live https://vercel.com *.pusher.com *.pusherapp.com https://*.admin.ch https://*.opendataswiss.org https://*.google-analytics.com https://*.googletagmanager.com data: blob:`,
-              `script-src-elem 'self' 'unsafe-inline' https://*.admin.ch https://vercel.live https://vercel.com`,
+              `script-src-elem 'self' 'unsafe-inline' https://*.admin.ch https://vercel.live https://vercel.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com`,
               `worker-src 'self' blob: https://*.admin.ch`,
             ].join("; "),
           });
