Updated CSP rules.

2025-02-01 12:29:35 +01:00 · 2023-11-30 23:40:58 -08:00 · 2023-11-30 23:40:58 -08:00 · d0e1912faf
commit d0e1912faf
parent 3bb82aebd8
1 changed files with 6 additions and 27 deletions
--- a/next.config.js
+++ b/next.config.js
@ -9,38 +9,21 @@ const contentSecurityPolicy = [
  `script-src 'self' 'unsafe-eval' 'unsafe-inline'`,
  `style-src 'self' 'unsafe-inline'`,
  `connect-src 'self' api.umami.is`,
-  `frame-src *`,
+  `frame-ancestors 'self' ${process.env.ALLOWED_FRAME_URLS || ''}`,
 ];

-const cspHeader = (values = []) => ({
-  key: 'Content-Security-Policy',
-  value: values
-    .join(';')
-    .replace(/\s{2,}/g, ' ')
-    .trim(),
-});
-
 const headers = [
  {
    key: 'X-DNS-Prefetch-Control',
    value: 'on',
  },
  {
-    key: 'X-Frame-Options',
-    value: 'SAMEORIGIN',
+    key: 'Content-Security-Policy',
+    value: contentSecurityPolicy
+      .join(';')
+      .replace(/\s{2,}/g, ' ')
+      .trim(),
  },
-  cspHeader(contentSecurityPolicy),
-];
-
-const shareHeaders = [
-  {
-    key: 'X-DNS-Prefetch-Control',
-    value: 'on',
-  },
-  cspHeader([
-    ...contentSecurityPolicy,
-    `frame-ancestors 'self' ${process.env.ALLOWED_FRAME_URLS || ''}`,
-  ]),
 ];

 if (process.env.FORCE_SSL) {
@ -142,10 +125,6 @@ const config = {
        source: '/:path*',
        headers,
      },
-      {
-        source: '/share/:path*',
-        headers: shareHeaders,
-      },
    ];
  },
  async rewrites() {