|
1 | 1 | import { NextResponse, type NextRequest } from "next/server"; |
2 | 2 |
|
3 | | -// file: middleware.ts |
4 | 3 | export function middleware(request: NextRequest) { |
5 | 4 | const requestHeaders = new Headers(request.headers); |
6 | 5 | const response = initResponse(); |
@@ -45,18 +44,26 @@ function getContentSecurityPolicyHeaderValue(nonce: string, reportUri: string): |
45 | 44 | "frame-ancestors": [`'none'`], |
46 | 45 | "font-src": [`'self'`], |
47 | 46 | "form-action": [`'self'`], |
48 | | - "frame-src": [`'self'`], |
| 47 | + "frame-src": [`'self'`, "*.youtube.com"], |
49 | 48 | "connect-src": [`'self'`], |
50 | | - "img-src": [`'self'`, "cdn.usefathom.com", "github.com"], |
| 49 | + "img-src": [ |
| 50 | + `'self'`, |
| 51 | + "cdn.usefathom.com", |
| 52 | + "github.com", |
| 53 | + "storage.googleapis.com", |
| 54 | + "stripe.com", |
| 55 | + "avatars.githubusercontent.com", |
| 56 | + ], |
51 | 57 | "manifest-src": [`'self'`], |
52 | 58 | "object-src": [`'none'`], |
53 | 59 | "report-uri": [reportUri], // for old browsers like Firefox |
54 | 60 | "report-to": ["csp"], // for modern browsers like Chrome |
55 | 61 | "script-src": [ |
56 | 62 | `'nonce-${nonce}'`, |
| 63 | + `'unsafe-inline'`, // ignored by browsers that support 'notices/hashes` |
57 | 64 | `'strict-dynamic'`, // force hashes and nonces over domain host lists |
58 | 65 | ], |
59 | | - "style-src": [`'self'`, `'unsafe-inline'`], |
| 66 | + "style-src": [`'self'`, `'unsafe-inline'`, "*.lemonsqueezy.com", "fonts.googleapis.com"], |
60 | 67 | }; |
61 | 68 |
|
62 | 69 | if (process.env.NODE_ENV === "development") { |
|
0 commit comments