From 252f4f813b94049a2f5b42b7a3b8715181c6be37 Mon Sep 17 00:00:00 2001
From: Ho Ngoc Hai <hongochai10@icloud.com>
Date: Wed, 15 Apr 2026 01:29:56 +0700
Subject: [PATCH] =?UTF-8?q?fix:=20Web=20CSP=20connect-src=20=E2=80=94=20us?=
 =?UTF-8?q?e=20domain=20only,=20not=20URL=20with=20path?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CSP connect-src needs origin (https://api.goodgo.vn), not a URL with
path (/api/v1). The path form only matches that exact path, blocking
fetch to /api/v1/listings, /api/v1/health etc.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 apps/web/next.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web/next.config.js b/apps/web/next.config.js
index 47dddb5..a512336 100644
--- a/apps/web/next.config.js
+++ b/apps/web/next.config.js
@@ -43,7 +43,7 @@ const nextConfig = {
               "style-src 'self' 'unsafe-inline' https://api.mapbox.com",
               "img-src 'self' data: blob: https://*.mapbox.com https://*.tiles.mapbox.com https:",
               "font-src 'self' data:",
-              `connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com ${process.env.NEXT_PUBLIC_API_URL || 'https://api.goodgo.vn'}${process.env.NODE_ENV !== 'production' ? ' http://localhost:3001 http://localhost:3011' : ''}`,
+              `connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com https://api.goodgo.vn${process.env.NODE_ENV !== 'production' ? ' http://localhost:3001 http://localhost:3011' : ''}`,
               "worker-src 'self' blob:",
               "child-src 'self' blob:",
               "frame-ancestors 'none'",