fix: update csp config

langgenius · Sep 19, 2024 · 88125aa · 88125aa
1 parent 2a264c3
commit 88125aa
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/web/middleware.ts b/web/middleware.ts
@@ -5,15 +5,16 @@ export function middleware(request: NextRequest) {
   const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
   // style-src 'self' 'nonce-${nonce}';
   const whiteList = 'https://cloud.dify.dev/ https://cloud.dify.ai/ https://analytics.google.com https://googletagmanager.com https://api.github.com'
-  const csp = process.env.NODE_ENV === 'production' ? `'nonce-${nonce}' ${whiteList}` : '\'unsafe-eval\' \'unsafe-inline\''
+  const csp = process.env.NODE_ENV === 'production' ? `'nonce-${nonce}'` : '\'unsafe-eval\' \'unsafe-inline\''
 
   const cspHeader = `
-    default-src 'self' ${csp};
-    connect-src 'self' ${csp};
-    script-src 'self' ${csp};
-    style-src 'self' ${csp};
-    worker-src 'self' ${csp};
-    img-src 'self' blob: data: ${csp};
+    default-src 'self' ${csp} blob: data: ${whiteList};
+    connect-src 'self' ${csp} blob: data: ${whiteList};
+    script-src 'self' ${csp} blob: ${whiteList};
+    style-src 'self' ${csp} ${whiteList};
+    worker-src 'self' ${csp} blob: ${whiteList};
+    media-src 'self' ${csp} blob: data: ${whiteList};
+    img-src 'self' ${csp} blob: data: ${whiteList};
     font-src 'self';
     object-src 'none';
     base-uri 'self';