Updated CSP rules.

next.config.js

@@ -9,38 +9,21 @@ const contentSecurityPolicy = [
   `script-src 'self' 'unsafe-eval' 'unsafe-inline'`,
   `style-src 'self' 'unsafe-inline'`,
   `connect-src 'self' api.umami.is`,
-  `frame-src *`,
+  `frame-ancestors 'self' ${process.env.ALLOWED_FRAME_URLS || ''}`,
 ];
 
-const cspHeader = (values = []) => ({
-  key: 'Content-Security-Policy',
-  value: values
-    .join(';')
-    .replace(/\s{2,}/g, ' ')
-    .trim(),
-});
-
 const headers = [
   {
     key: 'X-DNS-Prefetch-Control',
     value: 'on',
   },
   {
-    key: 'X-Frame-Options',
+    key: 'Content-Security-Policy',
-    value: 'SAMEORIGIN',
+    value: contentSecurityPolicy
+      .join(';')
+      .replace(/\s{2,}/g, ' ')
+      .trim(),
   },
-  cspHeader(contentSecurityPolicy),
-];
-
-const shareHeaders = [
-  {
-    key: 'X-DNS-Prefetch-Control',
-    value: 'on',
-  },
-  cspHeader([
-    ...contentSecurityPolicy,
-    `frame-ancestors 'self' ${process.env.ALLOWED_FRAME_URLS || ''}`,
-  ]),
 ];
 
 if (process.env.FORCE_SSL) {
@@ -142,10 +125,6 @@ const config = {
         source: '/:path*',
         headers,
       },
-      {
-        source: '/share/:path*',
-        headers: shareHeaders,
-      },
     ];
   },
   async rewrites() {