Skip to content

fix(csp): added terms, privacy, & logo URLs to CSP #1413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
waleedlatif1 merged 1 commit into from
Sep 22, 2025
Merged

fix(csp): added terms, privacy, & logo URLs to CSP #1413

waleedlatif1 merged 1 commit into from
Sep 22, 2025

Conversation

@waleedlatif1
Copy link
Collaborator

@waleedlatif1 waleedlatif1 commented Sep 22, 2025

Summary

added terms, privacy, & logo URLs to CSP

Type of Change

  • Bug fix

Testing

Tested manually.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Sep 22, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
sim Ready Ready Preview Comment Sep 22, 2025 7:02pm
1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
docs Skipped Skipped Sep 22, 2025 7:02pm

greptile-apps[bot]
greptile-apps bot reviewed Sep 22, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR enhances the Content Security Policy (CSP) configuration to support dynamic branding and legal page URLs through environment variables. The changes add support for three new environment variables: NEXT_PUBLIC_BRAND_LOGO_URL, NEXT_PUBLIC_PRIVACY_URL, and NEXT_PUBLIC_TERMS_URL. The implementation extracts hostnames from these URL environment variables and adds them to both build-time and runtime CSP directives.

The code adds URL parsing logic with proper error handling using try-catch blocks to gracefully handle invalid URLs. For the brand logo URL, the hostname is added to the img-src directive to allow loading external brand images. For privacy and terms URLs, the hostnames are added to the connect-src directive to permit navigation to these pages. The implementation includes domain deduplication logic to optimize CSP policy size when multiple URLs share the same hostname.

This change enables white-labeling capabilities by allowing the application to be configured with custom brand logos, privacy policies, and terms of service pages without requiring code changes. The dual approach of handling both build-time CSP (for Next.js configuration) and runtime CSP (for dynamic headers) ensures compatibility with various deployment scenarios, including Docker environments where environment variables might not be available during the build process.

Confidence score: 4/5

  • This PR is safe to merge with minimal risk as it only adds permissive CSP entries for configurable URLs
  • Score reflects solid error handling and defensive coding practices, though the manual testing approach could be more comprehensive
  • Pay close attention to the CSP configuration file to ensure the URL parsing logic handles edge cases properly

1 file reviewed, 1 comment

Edit Code Review Bot Settings | Greptile

@vercel vercel bot temporarily deployed to Preview – docs September 22, 2025 18:58 Inactive
@waleedlatif1 waleedlatif1 merged commit 73d779a into staging Sep 22, 2025
6 checks passed
@waleedlatif1 waleedlatif1 deleted the fix/csp branch September 23, 2025 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@waleedlatif1