Skip to content

fix(csp): add missing analytics domains, remove unsafe-eval, fix workspace CSP gap#4179

Open
waleedlatif1 wants to merge 1 commit intostagingfrom
waleedlatif1/fix-type-errors
Open

fix(csp): add missing analytics domains, remove unsafe-eval, fix workspace CSP gap#4179
waleedlatif1 wants to merge 1 commit intostagingfrom
waleedlatif1/fix-type-errors

Conversation

@waleedlatif1
Copy link
Copy Markdown
Collaborator

@waleedlatif1 waleedlatif1 commented Apr 15, 2026

Summary

  • Add missing CSP domains for Google Analytics (analytics.google.com, www.google.com) and Ahrefs (analytics.ahrefs.com) that were causing console violations on sim.ai
  • Extract shared STATIC_* constants so build-time and runtime CSP compose from a single source of truth — no more duplicate domain lists that drift apart
  • Remove unsafe-eval from script-src — nothing in the app uses eval() and the workflow execution endpoint already has its own permissive CSP
  • Fix bug where /workspace/* routes had no CSP header at all (middleware returned early before setting it, and next.config.ts excluded them)
  • Fix route overlap where /login and /signup got redundant CSP from both middleware and next.config.ts

Type of Change

  • Bug fix

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Apr 15, 2026 6:44am

Request Review

@cursor
Copy link
Copy Markdown

cursor bot commented Apr 15, 2026
edited
Loading

PR Summary

Medium Risk
Touches CSP and security headers across middleware and next.config.ts, which can easily break third-party scripts/embeds or block needed network calls if misconfigured. Changes are localized but affect most page responses.

Overview
Unifies CSP configuration by extracting shared STATIC_* source lists and composing both build-time and runtime policies from the same directives, replacing the previous hand-built runtime CSP string.

Adjusts allowed sources by removing unsafe-eval from script-src, expanding frame-src to a broader set of embed providers, and adding missing analytics domains (Google/Ahrefs) plus a few additional image/connect domains.

Fixes header application gaps/overlap by having middleware (proxy.ts) set CSP + nosniff + SAMEORIGIN on /workspace/*, /login, /signup, and /, and updating next.config.ts route header patterns to exclude those paths from duplicate header injection.

Reviewed by Cursor Bugbot for commit f7aeaf6. Configure here.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Apr 15, 2026
edited
Loading

Greptile Summary

This PR centralizes CSP configuration into STATIC_* constants shared by both build-time and runtime paths, adds missing analytics domains (analytics.google.com, www.google.com, analytics.ahrefs.com), removes unsafe-eval from script-src, and fixes a gap where /workspace/*, /login, /signup, and / routes received no CSP header from middleware. The next.config.ts catch-all exclusion pattern is updated to avoid double-header conflicts on the newly covered routes.

Confidence Score: 5/5

Safe to merge — all route/CSP logic is correct, no double-header conflicts, and the unsafe-eval removal is conservative and intentional.

No P0 or P1 issues found. The STATIC_* refactor correctly deduplicates domain lists, the catch-all negative-lookahead regex properly excludes all middleware-owned routes (including root via $), both explicit analytics.google.com and *.analytics.google.com entries in connect-src are non-redundant (wildcard excludes the apex), and workspace/login/signup/root pages now correctly receive runtime CSP via generateRuntimeCSP().

No files require special attention.

Important Files Changed

Filename Overview
apps/sim/lib/core/security/csp.ts Refactored to extract STATIC_* constants and add generateRuntimeCSP() for request-time env var resolution; safe, well-structured change with no logic bugs.
apps/sim/next.config.ts Catch-all CSP header source pattern updated to exclude workspace, login, signup, and root (via $) from getMainCSPPolicy() since middleware now owns those routes; overlap is correctly resolved.
apps/sim/proxy.ts CSP headers now correctly set on /login, /signup, /workspace/*, and / via generateRuntimeCSP(); X-Content-Type-Options and X-Frame-Options added consistently across all newly covered routes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    REQ[Incoming Request] --> MATCH{Route?}

    MATCH -->|"/ (root)"| ROOT["middleware: generateRuntimeCSP()"]
    MATCH -->|"/login or /signup"| AUTH_ROUTE["middleware: generateRuntimeCSP()"]
    MATCH -->|"/workspace/* (authenticated)"| WS["middleware: generateRuntimeCSP()"]
    MATCH -->|"/workspace/*/templates"| WS_TEMPL["middleware: NextResponse.next()\n(no CSP — public page)"]
    MATCH -->|"/chat/* or /form/*"| EMBED["next.config.ts:\ngetChatEmbedCSPPolicy()\ngetFormEmbedCSPPolicy()"]
    MATCH -->|"/api/workflows/:id/execute"| EXEC["next.config.ts:\ngetWorkflowExecutionCSPPolicy()\n(unsafe-eval retained)"]
    MATCH -->|"Other routes\n(e.g. /templates, /api/*)"| CATCH["next.config.ts catch-all:\ngetMainCSPPolicy()"]

    ROOT --> CSP1["Content-Security-Policy\n(runtime env vars via getEnv)"]
    AUTH_ROUTE --> CSP1
    WS --> CSP1
    EMBED --> CSP2["Content-Security-Policy\n(build-time + frame-ancestors: *)"]
    EXEC --> CSP3["default-src * unsafe-inline unsafe-eval"]
    CATCH --> CSP4["Content-Security-Policy\n(build-time env vars)"]
Loading

Reviews (2): Last reviewed commit: "fix(csp): add missing analytics domains,..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps bot reviewed Apr 15, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Apr 15, 2026
View reviewed changes
@waleedlatif1 waleedlatif1 force-pushed the waleedlatif1/fix-type-errors branch from 67133b7 to bb9c776 Compare April 15, 2026 06:42
@waleedlatif1 waleedlatif1 force-pushed the waleedlatif1/fix-type-errors branch from bb9c776 to f7aeaf6 Compare April 15, 2026 06:44
@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 15, 2026

@greptile

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 15, 2026

@cursor review

cursor[bot]
cursor bot reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit f7aeaf6. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waleedlatif1