letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
3f6f845c02ed3ace57102f61cbd1c0278d2f4fbb
pn-new-crm/next.config.ts
Matt 3f6f845c02
All checks were successful
Build & Push Docker Images / lint (push) Successful in 2m55s
Details
Build & Push Docker Images / build-and-push (push) Successful in 8m22s
Details
fix(csp): add frame-src so signed-PDF previews + embedded signing load 
The CSP set default-src 'self' with no frame-src, so it fell back to
'self' for frames. Inline signed-EOI previews iframe a presigned
s3.portnimara.com URL and the admin embedded-signing card iframes the
Documenso host — both were blocked, rendering a broken-file placeholder
("Framing 'https://s3.portnimara.com/' violates ... default-src 'self'").

Add `frame-src 'self' blob: https:` to both CSP definitions (proxy.ts
middleware + next.config.ts), matching the existing https: posture of
img-src/connect-src. frame-ancestors 'none' is unchanged, so we still
can't be embedded by third parties.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-25 14:26:38 +02:00

6.8 KiB
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink