From b0f59431e9a80342f5b9f14e6cfc7f45cfd38fdb Mon Sep 17 00:00:00 2001 From: Ben White Date: Fri, 15 Nov 2024 08:57:22 -0800 Subject: [PATCH 1/3] Added csp --- playground/nextjs/pages/_app.tsx | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/playground/nextjs/pages/_app.tsx b/playground/nextjs/pages/_app.tsx index d6d550995..7ec270d92 100644 --- a/playground/nextjs/pages/_app.tsx +++ b/playground/nextjs/pages/_app.tsx @@ -39,6 +39,17 @@ export default function App({ Component, pageProps }: AppProps) { PostHog + {/* CSP - useful for testing our documented recommendations. NOTE: Unsafe is only needed for nextjs pre-loading */} +
From e4c1fa335e14ad768a55c36248aa73266789e8f9 Mon Sep 17 00:00:00 2001 From: Ben White Date: Fri, 15 Nov 2024 08:57:35 -0800 Subject: [PATCH 2/3] Fix up --- playground/nextjs/pages/_app.tsx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playground/nextjs/pages/_app.tsx b/playground/nextjs/pages/_app.tsx index 7ec270d92..024633a54 100644 --- a/playground/nextjs/pages/_app.tsx +++ b/playground/nextjs/pages/_app.tsx @@ -46,8 +46,8 @@ export default function App({ Component, pageProps }: AppProps) { default-src 'self'; connect-src 'self' http://localhost:8000 https://*.posthog.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' http://localhost:8000 https://*.posthog.com; - style-src 'self' 'unsafe-inline' http://localhost:8000; - img-src 'self' http://localhost:8000; + style-src 'self' 'unsafe-inline' http://localhost:8000 https://*.posthog.com; + img-src 'self' http://localhost:8000 https://*.posthog.com; `} /> From c29d04eb84d59435b328b55e5bf96fb8b8ee1765 Mon Sep 17 00:00:00 2001 From: Ben White Date: Fri, 15 Nov 2024 09:42:39 -0800 Subject: [PATCH 3/3] Fixes --- playground/nextjs/pages/_app.tsx | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/playground/nextjs/pages/_app.tsx b/playground/nextjs/pages/_app.tsx index 024633a54..46784b661 100644 --- a/playground/nextjs/pages/_app.tsx +++ b/playground/nextjs/pages/_app.tsx @@ -34,6 +34,8 @@ export default function App({ Component, pageProps }: AppProps) { } }, []) + const localhostDomain = process.env.NEXT_PUBLIC_CROSSDOMAIN ? 'https://localhost:8000' : 'http://localhost:8000' + return ( @@ -44,10 +46,10 @@ export default function App({ Component, pageProps }: AppProps) { http-equiv="Content-Security-Policy" content={` default-src 'self'; - connect-src 'self' http://localhost:8000 https://*.posthog.com; - script-src 'self' 'unsafe-eval' 'unsafe-inline' http://localhost:8000 https://*.posthog.com; - style-src 'self' 'unsafe-inline' http://localhost:8000 https://*.posthog.com; - img-src 'self' http://localhost:8000 https://*.posthog.com; + connect-src 'self' ${localhostDomain} https://*.posthog.com; + script-src 'self' 'unsafe-eval' 'unsafe-inline' ${localhostDomain} https://*.posthog.com; + style-src 'self' 'unsafe-inline' ${localhostDomain} https://*.posthog.com; + img-src 'self' ${localhostDomain} https://*.posthog.com; `} />