From d0e1912fafdf097f48081e4eca6876031f077834 Mon Sep 17 00:00:00 2001
From: Mike Cao <mike@mikecao.com>
Date: Thu, 30 Nov 2023 23:40:58 -0800
Subject: [PATCH] Updated CSP rules.

---
 next.config.js | 33 ++++++---------------------------
 1 file changed, 6 insertions(+), 27 deletions(-)

diff --git a/next.config.js b/next.config.js
index eaaf8fe7..c73790b8 100644
--- a/next.config.js
+++ b/next.config.js
@@ -9,38 +9,21 @@ const contentSecurityPolicy = [
   `script-src 'self' 'unsafe-eval' 'unsafe-inline'`,
   `style-src 'self' 'unsafe-inline'`,
   `connect-src 'self' api.umami.is`,
-  `frame-src *`,
+  `frame-ancestors 'self' ${process.env.ALLOWED_FRAME_URLS || ''}`,
 ];
 
-const cspHeader = (values = []) => ({
-  key: 'Content-Security-Policy',
-  value: values
-    .join(';')
-    .replace(/\s{2,}/g, ' ')
-    .trim(),
-});
-
 const headers = [
   {
     key: 'X-DNS-Prefetch-Control',
     value: 'on',
   },
   {
-    key: 'X-Frame-Options',
-    value: 'SAMEORIGIN',
+    key: 'Content-Security-Policy',
+    value: contentSecurityPolicy
+      .join(';')
+      .replace(/\s{2,}/g, ' ')
+      .trim(),
   },
-  cspHeader(contentSecurityPolicy),
-];
-
-const shareHeaders = [
-  {
-    key: 'X-DNS-Prefetch-Control',
-    value: 'on',
-  },
-  cspHeader([
-    ...contentSecurityPolicy,
-    `frame-ancestors 'self' ${process.env.ALLOWED_FRAME_URLS || ''}`,
-  ]),
 ];
 
 if (process.env.FORCE_SSL) {
@@ -142,10 +125,6 @@ const config = {
         source: '/:path*',
         headers,
       },
-      {
-        source: '/share/:path*',
-        headers: shareHeaders,
-      },
     ];
   },
   async rewrites() {