Merge pull request #57 from bigcommerce/CPX-632c

feat: CPX-632 add CSP with frame-ancestors
bigcommerce · Sep 11, 2024 · c3d47a4 · c3d47a4
2 parents 721c214 + 1e08475
commit c3d47a4
Showing 1 changed file with 27 additions and 6 deletions.
diff --git a/src/middleware.ts b/src/middleware.ts
@@ -9,17 +9,38 @@ const csrfProtect = csrf({
 });
 
 export async function middleware(request: NextRequest) {
-    const response = NextResponse.next();
+    const cspHeader = `
+        frame-ancestors https://*.mybigcommerce.com
+        https://*.my-integration.zone
+        https://*.my-staging.zone
+    `;
+    const contentSecurityPolicyHeaderValue = cspHeader
+    .replace(/\s{2,}/g, ' ')
+    .trim();
+
+    const requestHeaders = new Headers(request.headers);
+
+    requestHeaders.set(
+        'Content-Security-Policy',
+        contentSecurityPolicyHeaderValue
+    );
+
+    const response = NextResponse.next({
+        request: {
+            headers: requestHeaders,
+        },
+    });
 
     const csrfError = await csrfProtect(request, response);
 
     if (csrfError) {
         return new NextResponse('invalid csrf token', { status: 403 });
     }
 
-    return response;
-}
-
-export const config = {
-    matcher: ['/productDescription/:productId*', '/api/generateDescription'],
+    response.headers.set(
+        'Content-Security-Policy',
+        contentSecurityPolicyHeaderValue
+    );
+
+    return response
 }