fix: Web CSP connect-src — use domain only, not URL with path
Some checks failed
E2E Tests / Playwright E2E (push) Failing after 14s
CI / Lint → Typecheck → Test → Build (22) (push) Failing after 11s
CI / E2E Tests (push) Has been skipped
Deploy / Build API Image (push) Failing after 16s
Deploy / Build Web Image (push) Failing after 11s
Deploy / Build AI Services Image (push) Failing after 10s
Deploy / Deploy to Staging (push) Has been skipped
Deploy / Smoke Test Staging (push) Has been skipped
Deploy / Deploy to Production (push) Has been skipped
Deploy / Smoke Test Production (push) Has been skipped
Deploy / Rollback Staging (push) Has been skipped
Deploy / Rollback Production (push) Has been skipped
Security Scanning / Dependency Audit (pnpm) (push) Failing after 16s
Security Scanning / Trivy Scan — API Image (push) Failing after 12m39s
Security Scanning / Trivy Scan — Web Image (push) Failing after 50s
Security Scanning / Trivy Scan — AI Services Image (push) Failing after 36s
Security Scanning / Trivy Filesystem Scan (push) Failing after 23s
Security Scanning / Security Gate (push) Failing after 2s
Some checks failed
E2E Tests / Playwright E2E (push) Failing after 14s
CI / Lint → Typecheck → Test → Build (22) (push) Failing after 11s
CI / E2E Tests (push) Has been skipped
Deploy / Build API Image (push) Failing after 16s
Deploy / Build Web Image (push) Failing after 11s
Deploy / Build AI Services Image (push) Failing after 10s
Deploy / Deploy to Staging (push) Has been skipped
Deploy / Smoke Test Staging (push) Has been skipped
Deploy / Deploy to Production (push) Has been skipped
Deploy / Smoke Test Production (push) Has been skipped
Deploy / Rollback Staging (push) Has been skipped
Deploy / Rollback Production (push) Has been skipped
Security Scanning / Dependency Audit (pnpm) (push) Failing after 16s
Security Scanning / Trivy Scan — API Image (push) Failing after 12m39s
Security Scanning / Trivy Scan — Web Image (push) Failing after 50s
Security Scanning / Trivy Scan — AI Services Image (push) Failing after 36s
Security Scanning / Trivy Filesystem Scan (push) Failing after 23s
Security Scanning / Security Gate (push) Failing after 2s
CSP connect-src needs origin (https://api.goodgo.vn), not a URL with path (/api/v1). The path form only matches that exact path, blocking fetch to /api/v1/listings, /api/v1/health etc. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ho Ngoc Hai
@@ -43,7 +43,7 @@ const nextConfig = {
|
||||
"style-src 'self' 'unsafe-inline' https://api.mapbox.com",
|
||||
"img-src 'self' data: blob: https://*.mapbox.com https://*.tiles.mapbox.com https:",
|
||||
"font-src 'self' data:",
|
||||
`connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com ${process.env.NEXT_PUBLIC_API_URL || 'https://api.goodgo.vn'}${process.env.NODE_ENV !== 'production' ? ' http://localhost:3001 http://localhost:3011' : ''}`,
|
||||
`connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com https://api.goodgo.vn${process.env.NODE_ENV !== 'production' ? ' http://localhost:3001 http://localhost:3011' : ''}`,
|
||||
"worker-src 'self' blob:",
|
||||
"child-src 'self' blob:",
|
||||
"frame-ancestors 'none'",
|
||||
|
||||
Reference in New Issue
Block a user