feat: CPX-632 add CSP with frame-ancestors

bigcommerce · Sep 11, 2024 · da1f46d · da1f46d
1 parent 721c214
commit da1f46d
Showing 1 changed file with 27 additions and 6 deletions.
diff --git a/src/middleware.ts b/src/middleware.ts
@@ -9,17 +9,38 @@ const csrfProtect = csrf({
 });
 
 export async function middleware(request: NextRequest) {
-    const response = NextResponse.next();
+    const cspHeader = `
+        frame-ancestors: 'https://store-*.mybigcommerce.com' 
+        'https://store-*.my-integration.zone' 
+        'https://store-*.my-staging.zone';
+    `;
+    const contentSecurityPolicyHeaderValue = cspHeader
+    .replace(/\s{2,}/g, ' ')
+    .trim();
+
+    const requestHeaders = new Headers(request.headers);
+
+    requestHeaders.set(
+        'Content-Security-Policy',
+        contentSecurityPolicyHeaderValue
+    );
+
+    const response = NextResponse.next({
+        request: {
+            headers: requestHeaders,
+        },
+    });
 
     const csrfError = await csrfProtect(request, response);
 
     if (csrfError) {
         return new NextResponse('invalid csrf token', { status: 403 });
     }
 
-    return response;
-}
-
-export const config = {
-    matcher: ['/productDescription/:productId*', '/api/generateDescription'],
+    response.headers.set(
+        'Content-Security-Policy',
+        contentSecurityPolicyHeaderValue
+    );
+
+    return response
 }