feat: configure CSP for self-hosting and multiple ports in dev mode (#1364)

Closes #1358 Closes #1359 ⚠️ Need to update the preview and prod environment with a "NEXT_PUBLIC_FRONTEND_URL" variable before merging.
2024-11-30 21:28:56 +03:00 · 2023-10-09 17:02:15 +02:00 · 2023-10-09 17:02:15 +02:00 · 2c7d48cf4e
commit 2c7d48cf4e
parent 77e135fb5b
2 changed files with 5 additions and 33 deletions
--- a/.frontend_env.example
+++ b/.frontend_env.example
@ -1,5 +1,6 @@
 NEXT_PUBLIC_ENV=local
 NEXT_PUBLIC_BACKEND_URL=http://localhost:5050
+NEXT_PUBLIC_FRONTEND_URL=http://localhost:*
 NEXT_PUBLIC_SUPABASE_URL=<change-me>
 NEXT_PUBLIC_SUPABASE_ANON_KEY=<change-me>

@ -12,4 +13,3 @@ NEXT_PUBLIC_GA_ID=<ignore-me-or-change-me>
 NEXT_PUBLIC_E2E_URL=http://localhost:3003
 NEXT_PUBLIC_E2E_EMAIL=<ignore-me-or-change-me>
 NEXT_PUBLIC_E2E_PASSWORD=<ignore-me-or-change-me>
-
--- a/frontend/next.config.js
+++ b/frontend/next.config.js
@ -24,11 +24,7 @@ const ContentSecurityPolicy = {
    "https://fonts.googleapis.com",
    process.env.NEXT_PUBLIC_SUPABASE_URL,
    "https://api.june.so",
-    {
-      prod: "https://www.quivr.app/",
-      preview: "https://preview.quivr.app/",
-      local: ["http://localhost:3000", "http://localhost:3001"],
-    },
+    process.env.NEXT_PUBLIC_FRONTEND_URL,
  ],
  "connect-src": [
    "'self'",
@ -43,44 +39,20 @@ const ContentSecurityPolicy = {
  "media-src": [
    "'self'",
    "https://user-images.githubusercontent.com",
-    "https://www.quivr.app/",
+    process.env.NEXT_PUBLIC_FRONTEND_URL,
    "https://quivr-cms.s3.eu-west-3.amazonaws.com",
  ],
  "script-src": [
    "'unsafe-inline'",
    "'unsafe-eval'",
    "https://va.vercel-scripts.com/",
-    {
-      prod: "https://www.quivr.app/",
-      preview: "https://preview.quivr.app/",
-      local: ["http://localhost:3000", "http://localhost:3001"],
-    },
+    process.env.NEXT_PUBLIC_FRONTEND_URL,
    "https://www.google-analytics.com/",
  ],
  "frame-ancestors": ["'none'"],
-  "style-src": [
-    "'unsafe-inline'",
-    {
-      prod: "https://www.quivr.app/",
-      preview: "https://preview.quivr.app/",
-      local: ["http://localhost:3000", "http://localhost:3001"],
-    },
-  ],
+  "style-src": ["'unsafe-inline'", process.env.NEXT_PUBLIC_FRONTEND_URL],
 };

-// Resolve environment-specific CSP values
-for (const directive of Object.values(ContentSecurityPolicy)) {
-  for (const [index, resource] of directive.entries()) {
-    if (typeof resource === "string") {
-      continue;
-    }
-    directive[index] = resource[process.env.NEXT_PUBLIC_ENV];
-    if (Array.isArray(directive[index])) {
-      directive[index] = directive[index].join(" ");
-    }
-  }
-}
-
 // Build CSP string
 const cspString = Object.entries(ContentSecurityPolicy)
  .map(([key, values]) => `${key} ${values.join(" ")};`)