From f9c23a5173c51f91af46fea9874c07ba30ea2672 Mon Sep 17 00:00:00 2001
From: Ho Ngoc Hai <hongochai10@icloud.com>
Date: Wed, 15 Apr 2026 00:25:54 +0700
Subject: [PATCH] =?UTF-8?q?fix:=20Web=20CSP=20=E2=80=94=20add=20api.goodgo?=
 =?UTF-8?q?.vn=20to=20connect-src?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Content-Security-Policy connect-src only allowed 'self' + mapbox in
production, blocking all browser fetch to api.goodgo.vn. Added
NEXT_PUBLIC_API_URL to connect-src whitelist.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 apps/web/next.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/web/next.config.js b/apps/web/next.config.js
index 5e9ea69..47dddb5 100644
--- a/apps/web/next.config.js
+++ b/apps/web/next.config.js
@@ -43,7 +43,7 @@ const nextConfig = {
               "style-src 'self' 'unsafe-inline' https://api.mapbox.com",
               "img-src 'self' data: blob: https://*.mapbox.com https://*.tiles.mapbox.com https:",
               "font-src 'self' data:",
-              `connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com${process.env.NODE_ENV !== 'production' ? ' http://localhost:3001 http://localhost:3011' : ''}`,
+              `connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com ${process.env.NEXT_PUBLIC_API_URL || 'https://api.goodgo.vn'}${process.env.NODE_ENV !== 'production' ? ' http://localhost:3001 http://localhost:3011' : ''}`,
               "worker-src 'self' blob:",
               "child-src 'self' blob:",
               "frame-ancestors 'none'",