From 5fd535338337fbe5a3a5f8862912aeaa22d15693 Mon Sep 17 00:00:00 2001 From: Gao Sun Date: Thu, 1 Aug 2024 10:18:22 +0800 Subject: [PATCH] refactor(core): allow cloudflare insights origin in csp (#6375) refactor(core): allow cloudflare csp --- packages/core/src/middleware/koa-security-headers.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/core/src/middleware/koa-security-headers.ts b/packages/core/src/middleware/koa-security-headers.ts index 00cfa54e8..0847353c7 100644 --- a/packages/core/src/middleware/koa-security-headers.ts +++ b/packages/core/src/middleware/koa-security-headers.ts @@ -105,6 +105,9 @@ export default function koaSecurityHeaders( "'self'", "'unsafe-inline'", `${gsiOrigin}client`, + // Some of our users may use the Cloudflare Web Analytics service. We need to allow it to + // load its scripts. + 'https://static.cloudflareinsights.com/', ...conditionalArray(!isProduction && "'unsafe-eval'"), ], connectSrc: ["'self'", gsiOrigin, tenantEndpointOrigin, ...developmentOrigins],