feat: allow custom protocols for app href (#2575)

Co-authored-by: Manuel <30572287+manuel-rw@users.noreply.github.com> Co-authored-by: Meier Lukas <meierschlumpf@gmail.com>
2026-02-26 16:30:57 +01:00 · 2025-05-23 22:19:59 +02:00
parent 71516e02c0
commit 09af0a76f6
2 changed files with 27 additions and 1 deletions
--- a/apps/nextjs/next.config.ts
+++ b/apps/nextjs/next.config.ts
@@ -49,6 +49,32 @@ const nextConfig: NextConfig = {
  images: {
    domains: ["cdn.jsdelivr.net"],
  },
+  // eslint-disable-next-line @typescript-eslint/require-await,no-restricted-syntax
+  async headers() {
+    return [
+      {
+        source: "/(.*)", // Apply CSP to all routes
+        headers: [
+          {
+            key: "Content-Security-Policy",
+            value: `
+              default-src 'self';
+              script-src * 'unsafe-inline' 'unsafe-eval';
+              base-uri 'self';
+              connect-src *;
+              style-src 'self' 'unsafe-inline'; 
+              frame-ancestors *;
+              frame-src *;
+              form-action 'self';
+              img-src * data:;
+            `
+              .replace(/\s{2,}/g, " ")
+              .trim(),
+          },
+        ],
+      },
+    ];
+  },
 };

 // Skip transform is used because of webpack loader, without it for example 'Tooltip.Floating' will not work and show an error
--- a/packages/validation/src/app.ts
+++ b/packages/validation/src/app.ts
@@ -4,7 +4,7 @@ export const appHrefSchema = z
  .string()
  .trim()
  .url()
-  .regex(/^https?:\/\//) // Only allow http and https for security reasons (javascript: is not allowed)
+  .regex(/^(?!javascript)[a-zA-Z]*:\/\//i) // javascript: is not allowed, i for case insensitive (so Javascript: is also not allowed)
  .or(z.literal(""))
  .transform((value) => (value.length === 0 ? null : value))
  .nullable();