Merge branch 'master' into sam/25_01_07/remove-sentry

NangoHQ · Jan 7, 2025 · 36c835e · 36c835e
2 parents 61a2ecd + b873780
commit 36c835e
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/packages/server/lib/middleware/security.ts b/packages/server/lib/middleware/security.ts
@@ -9,6 +9,9 @@ export function securityMiddlewares(): RequestHandler[] {
     hostWs.protocol = hostApi.startsWith('https') ? 'wss' : 'ws';
     const reportOnly = process.env['CSP_REPORT_ONLY'];
 
+    const additionalConnectSources = [process.env['PUBLIC_KOALA_API_URL'] ? new URL(process.env['PUBLIC_KOALA_API_URL']).origin : ''];
+    const additionalScriptSources = [process.env['PUBLIC_KOALA_CDN_URL'] ? new URL(process.env['PUBLIC_KOALA_CDN_URL']).origin : ''];
+
     return [
         helmet.xssFilter(),
         helmet.noSniff(),
@@ -24,7 +27,16 @@ export function securityMiddlewares(): RequestHandler[] {
             directives: {
                 defaultSrc: ["'self'", hostPublic, hostApi],
                 childSrc: "'self'",
-                connectSrc: ["'self'", 'https://*.google-analytics.com', 'https://*.sentry.io', hostPublic, hostApi, hostWs.href, 'https://*.posthog.com'],
+                connectSrc: [
+                    "'self'",
+                    'https://*.google-analytics.com',
+                    'https://*.sentry.io',
+                    hostPublic,
+                    hostApi,
+                    hostWs.href,
+                    'https://*.posthog.com',
+                    ...additionalConnectSources
+                ],
                 fontSrc: ["'self'", 'https://*.googleapis.com', 'https://*.gstatic.com'],
                 frameSrc: ["'self'", 'https://accounts.google.com', hostPublic, hostApi, connectUrl, 'https://www.youtube.com'],
                 imgSrc: [
@@ -51,7 +63,8 @@ export function securityMiddlewares(): RequestHandler[] {
                     'https://*.googleapis.com',
                     'https://apis.google.com',
                     'https://*.posthog.com',
-                    'https://www.youtube.com'
+                    'https://www.youtube.com',
+                    ...additionalScriptSources
                 ],
                 styleSrc: ['blob:', "'self'", "'unsafe-inline'", 'https://*.googleapis.com', hostPublic, hostApi],
                 workerSrc: ['blob:', "'self'", hostPublic, hostApi, 'https://*.googleapis.com', 'https://*.posthog.com']