fix(csp): added terms, privacy, & logo URLs to CSP

waleedlatif1 · waleedlatif1 · commit 323f2cd84f4a · 2025-09-22T11:50:59.000-07:00
diff --git a/apps/sim/lib/security/csp.ts b/apps/sim/lib/security/csp.ts
@@ -43,7 +43,6 @@ export const buildTimeCSPDirectives: CSPDirectives = {
   'style-src': ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'],
 
   'img-src': [
-    'https://agentics.epiqglobal.com',
     "'self'",
     'data:',
     'blob:',
@@ -66,6 +65,16 @@ export const buildTimeCSPDirectives: CSPDirectives = {
       : []),
     'https://*.amazonaws.com',
     'https://*.blob.core.windows.net',
+    ...(env.NEXT_PUBLIC_BRAND_LOGO_URL
+      ? (() => {
+          try {
+            const url = new URL(env.NEXT_PUBLIC_BRAND_LOGO_URL)
+            return [`https://${url.hostname}`]
+          } catch {
+            return []
+          }
+        })()
+      : []),
   ],
 
   'media-src': ["'self'", 'blob:'],
@@ -98,6 +107,36 @@ export const buildTimeCSPDirectives: CSPDirectives = {
     'https://*.vercel.app',
     'wss://*.vercel.app',
     'https://pro.ip-api.com',
+    ...(env.NEXT_PUBLIC_BRAND_LOGO_URL
+      ? (() => {
+          try {
+            const url = new URL(env.NEXT_PUBLIC_BRAND_LOGO_URL)
+            return [`https://${url.hostname}`]
+          } catch {
+            return []
+          }
+        })()
+      : []),
+    ...(env.NEXT_PUBLIC_PRIVACY_URL
+      ? (() => {
+          try {
+            const url = new URL(env.NEXT_PUBLIC_PRIVACY_URL)
+            return [`https://${url.hostname}`]
+          } catch {
+            return []
+          }
+        })()
+      : []),
+    ...(env.NEXT_PUBLIC_TERMS_URL
+      ? (() => {
+          try {
+            const url = new URL(env.NEXT_PUBLIC_TERMS_URL)
+            return [`https://${url.hostname}`]
+          } catch {
+            return []
+          }
+        })()
+      : []),
   ],
 
   // Google Picker and Drive integration
@@ -140,14 +179,46 @@ export function generateRuntimeCSP(): string {
   const appUrl = getEnv('NEXT_PUBLIC_APP_URL') || ''
   const ollamaUrl = getEnv('OLLAMA_URL') || 'http://localhost:11434'
 
+  const brandLogoDomain = (() => {
+    try {
+      const url = getEnv('NEXT_PUBLIC_BRAND_LOGO_URL')
+      return url ? `https://${new URL(url).hostname}` : ''
+    } catch {
+      return ''
+    }
+  })()
+
+  const privacyDomain = (() => {
+    try {
+      const url = getEnv('NEXT_PUBLIC_PRIVACY_URL')
+      return url ? `https://${new URL(url).hostname}` : ''
+    } catch {
+      return ''
+    }
+  })()
+
+  const termsDomain = (() => {
+    try {
+      const url = getEnv('NEXT_PUBLIC_TERMS_URL')
+      return url ? `https://${new URL(url).hostname}` : ''
+    } catch {
+      return ''
+    }
+  })()
+
+  const dynamicDomains = Array.from(
+    new Set([brandLogoDomain, privacyDomain, termsDomain].filter(Boolean))
+  )
+  const dynamicDomainsStr = dynamicDomains.join(' ')
+
   return `
     default-src 'self';
     script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.google.com https://apis.google.com https://*.vercel-scripts.com https://*.vercel-insights.com https://vercel.live https://*.vercel.live https://vercel.com https://*.vercel.app https://vitals.vercel-insights.com https://b2bjsstore.s3.us-west-2.amazonaws.com;
     style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
-    img-src 'self' data: blob: https://*.googleusercontent.com https://*.google.com https://*.atlassian.com https://cdn.discordapp.com https://*.githubusercontent.com https://*.public.blob.vercel-storage.com;
+    img-src 'self' data: blob: https://*.googleusercontent.com https://*.google.com https://*.atlassian.com https://cdn.discordapp.com https://*.githubusercontent.com https://*.public.blob.vercel-storage.com ${brandLogoDomain};
     media-src 'self' blob:;
     font-src 'self' https://fonts.gstatic.com;
-    connect-src 'self' ${appUrl} ${ollamaUrl} ${socketUrl} ${socketWsUrl} https://*.up.railway.app wss://*.up.railway.app https://api.browser-use.com https://api.exa.ai https://api.firecrawl.dev https://*.googleapis.com https://*.amazonaws.com https://*.s3.amazonaws.com https://*.blob.core.windows.net https://*.vercel-insights.com https://vitals.vercel-insights.com https://*.atlassian.com https://*.supabase.co https://vercel.live https://*.vercel.live https://vercel.com https://*.vercel.app wss://*.vercel.app https://pro.ip-api.com;
+    connect-src 'self' ${appUrl} ${ollamaUrl} ${socketUrl} ${socketWsUrl} https://*.up.railway.app wss://*.up.railway.app https://api.browser-use.com https://api.exa.ai https://api.firecrawl.dev https://*.googleapis.com https://*.amazonaws.com https://*.s3.amazonaws.com https://*.blob.core.windows.net https://*.vercel-insights.com https://vitals.vercel-insights.com https://*.atlassian.com https://*.supabase.co https://vercel.live https://*.vercel.live https://vercel.com https://*.vercel.app wss://*.vercel.app https://pro.ip-api.com ${dynamicDomainsStr};
     frame-src https://drive.google.com https://docs.google.com https://*.google.com;
     frame-ancestors 'self';
     form-action 'self';
