chore: Added CSP headers to next app for testing what we document (#1528

)
PostHog · Nov 15, 2024 · cb08a81 · cb08a81
1 parent 11d52d0
commit cb08a81
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/playground/nextjs/pages/_app.tsx b/playground/nextjs/pages/_app.tsx
@@ -34,11 +34,24 @@ export default function App({ Component, pageProps }: AppProps) {
         }
     }, [])
 
+    const localhostDomain = process.env.NEXT_PUBLIC_CROSSDOMAIN ? 'https://localhost:8000' : 'http://localhost:8000'
+
     return (
         <PostHogProvider client={posthog}>
             <Head>
                 <title>PostHog</title>
                 <meta name="viewport" content="width=device-width, initial-scale=1" />
+                {/* CSP - useful for testing our documented recommendations. NOTE: Unsafe is only needed for nextjs pre-loading */}
+                <meta
+                    http-equiv="Content-Security-Policy"
+                    content={`
+                    default-src 'self';
+                    connect-src 'self' ${localhostDomain} https://*.posthog.com;
+                    script-src 'self' 'unsafe-eval' 'unsafe-inline' ${localhostDomain} https://*.posthog.com;
+                    style-src 'self' 'unsafe-inline' ${localhostDomain} https://*.posthog.com;
+                    img-src 'self' ${localhostDomain} https://*.posthog.com;
+                `}
+                />
             </Head>
 
             <main>