|
5 | 5 | * controlling which resources can be loaded and executed. |
6 | 6 | */ |
7 | 7 |
|
8 | | -// Third-party services domains |
9 | | -const THIRD_PARTY_DOMAINS = { |
10 | | - // Analytics |
11 | | - FATHOM_CDN: "https://*.usefathom.com", |
12 | | - FATHOM_API: "https://*.usefathom.com", |
13 | | - |
14 | | - // User feedback and support |
15 | | - MARKER_CDN: "https://*.marker.io", |
16 | | - MARKER_API: "https://*.marker.io", |
17 | | - |
18 | | - // General |
19 | | - VERCEL_IMAGES: "https://vercel.com", |
20 | | -}; |
21 | | - |
22 | | -// CSP directive configuration |
| 8 | +// Highly permissive CSP - allows most external resources while maintaining basic security |
23 | 9 | const CSP_DIRECTIVES = { |
24 | | - // Default policy for all resources |
25 | | - "default-src": ["'self'"], |
26 | | - |
27 | | - // JavaScript sources |
28 | | - "script-src": [ |
| 10 | + // Allow resources from anywhere but maintain some basic protections |
| 11 | + "default-src": [ |
29 | 12 | "'self'", |
30 | | - "'unsafe-inline'", // Required for Next.js |
31 | | - "'unsafe-eval'", // Required for development |
32 | | - THIRD_PARTY_DOMAINS.FATHOM_CDN, |
33 | | - THIRD_PARTY_DOMAINS.MARKER_CDN, |
| 13 | + "'unsafe-inline'", |
| 14 | + "'unsafe-eval'", |
| 15 | + "data:", |
| 16 | + "https:", |
| 17 | + "http:", |
34 | 18 | ], |
35 | 19 |
|
36 | | - // Network connections (fetch, XHR, WebSocket, etc.) |
37 | | - "connect-src": [ |
| 20 | + // Allow scripts from anywhere |
| 21 | + "script-src": [ |
38 | 22 | "'self'", |
39 | | - THIRD_PARTY_DOMAINS.FATHOM_API, |
40 | | - THIRD_PARTY_DOMAINS.MARKER_CDN, |
41 | | - THIRD_PARTY_DOMAINS.MARKER_API, |
| 23 | + "'unsafe-inline'", |
| 24 | + "'unsafe-eval'", |
| 25 | + "https:", |
| 26 | + "http:", |
| 27 | + "data:", |
42 | 28 | ], |
43 | 29 |
|
44 | | - // Image sources |
45 | | - "img-src": [ |
46 | | - "'self'", |
47 | | - THIRD_PARTY_DOMAINS.VERCEL_IMAGES, |
48 | | - THIRD_PARTY_DOMAINS.FATHOM_CDN, |
49 | | - ], |
| 30 | + // Allow connections to anywhere |
| 31 | + "connect-src": ["'self'", "https:", "http:", "ws:", "wss:"], |
50 | 32 |
|
51 | | - // CSS sources |
52 | | - "style-src": [ |
53 | | - "'self'", |
54 | | - "'unsafe-inline'", // Required for styled-components and inline styles |
55 | | - ], |
| 33 | + // Allow images from anywhere |
| 34 | + "img-src": ["'self'", "https:", "http:", "data:", "blob:"], |
| 35 | + |
| 36 | + // Allow styles from anywhere |
| 37 | + "style-src": ["'self'", "'unsafe-inline'", "https:", "http:"], |
56 | 38 |
|
57 | | - // Font sources |
58 | | - "font-src": ["'self'"], |
| 39 | + // Allow fonts from anywhere |
| 40 | + "font-src": ["'self'", "https:", "http:", "data:"], |
59 | 41 |
|
60 | | - // Object sources (plugins) |
| 42 | + // Still block object/embed for basic security |
61 | 43 | "object-src": ["'none'"], |
62 | 44 |
|
63 | | - // Child frames (empty means no restrictions) |
64 | | - "child-src": [], |
| 45 | + // Allow frames from anywhere |
| 46 | + "frame-src": ["'self'", "https:", "http:"], |
| 47 | + |
| 48 | + // Allow child frames from anywhere |
| 49 | + "child-src": ["'self'", "https:", "http:"], |
65 | 50 | }; |
66 | 51 |
|
67 | 52 | /** |
|
0 commit comments