From 1e08475a0d2b646cd80a58c78ad9ca2a2c2c712f Mon Sep 17 00:00:00 2001
From: Adam Bilsing <adam.bilsing@mwc93h34h5.lan>
Date: Wed, 4 Sep 2024 20:16:56 -0500
Subject: [PATCH] feat: CPX-632 add CSP with frame-ancestors

---
 src/middleware.ts | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/src/middleware.ts b/src/middleware.ts
index 662c8fd..4bf528b 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -9,7 +9,27 @@ const csrfProtect = csrf({
 });
 
 export async function middleware(request: NextRequest) {
-    const response = NextResponse.next();
+    const cspHeader = `
+        frame-ancestors https://*.mybigcommerce.com
+        https://*.my-integration.zone
+        https://*.my-staging.zone
+    `;
+    const contentSecurityPolicyHeaderValue = cspHeader
+    .replace(/\s{2,}/g, ' ')
+    .trim();
+  
+    const requestHeaders = new Headers(request.headers);
+ 
+    requestHeaders.set(
+        'Content-Security-Policy',
+        contentSecurityPolicyHeaderValue
+    );
+    
+    const response = NextResponse.next({
+        request: {
+            headers: requestHeaders,
+        },
+    });
 
     const csrfError = await csrfProtect(request, response);
 
@@ -17,9 +37,10 @@ export async function middleware(request: NextRequest) {
         return new NextResponse('invalid csrf token', { status: 403 });
     }
 
-    return response;
-}
-
-export const config = {
-    matcher: ['/productDescription/:productId*', '/api/generateDescription'],
+    response.headers.set(
+        'Content-Security-Policy',
+        contentSecurityPolicyHeaderValue
+    );
+    
+    return response
 }