From 6316a0b917c8135c97e46593d6dac36b9d0a9fcc Mon Sep 17 00:00:00 2001 From: Mike Cao Date: Thu, 29 Jun 2023 19:38:35 -0700 Subject: [PATCH] Fixed CSP issue, renamed var to ALLOWED_FRAME_URLS. --- next.config.js | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/next.config.js b/next.config.js index e004566a..0778f979 100644 --- a/next.config.js +++ b/next.config.js @@ -2,18 +2,13 @@ require('dotenv').config(); const pkg = require('./package.json'); -const CLOUD_URL = 'https://cloud.umami.is'; - -// Space-separated list of URLs that can load the "Share" dashboard, i.e. http://app.localhost:7000 https://*.vercel.app -const EMBED_HOSTED_URL = process.env.EMBED_HOSTED_URL; - const contentSecurityPolicy = ` default-src 'self'; img-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' api.umami.is; - frame-ancestors `self ${EMBED_HOSTED_URL}`; + frame-ancestors 'self' ${process.env.ALLOWED_FRAME_URLS}; `; const headers = [ @@ -68,7 +63,7 @@ const redirects = [ }, ]; -if (process.env.CLOUD_MODE && process.env.DISABLE_LOGIN && process.env.CLOUD_URL) { +if (process.env.CLOUD_MODE && process.env.CLOUD_URL && process.env.DISABLE_LOGIN) { redirects.push({ source: '/login', destination: process.env.CLOUD_URL,