From cb08a812a7b33fc60ce21be62a4ee6b6611ddeea Mon Sep 17 00:00:00 2001
From: Ben White <ben@posthog.com>
Date: Fri, 15 Nov 2024 09:59:30 -0800
Subject: [PATCH] chore: Added CSP headers to next app for testing what we
 document (#1528)

---
 playground/nextjs/pages/_app.tsx | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/playground/nextjs/pages/_app.tsx b/playground/nextjs/pages/_app.tsx
index d6d550995..46784b661 100644
--- a/playground/nextjs/pages/_app.tsx
+++ b/playground/nextjs/pages/_app.tsx
@@ -34,11 +34,24 @@ export default function App({ Component, pageProps }: AppProps) {
         }
     }, [])
 
+    const localhostDomain = process.env.NEXT_PUBLIC_CROSSDOMAIN ? 'https://localhost:8000' : 'http://localhost:8000'
+
     return (
         <PostHogProvider client={posthog}>
             <Head>
                 <title>PostHog</title>
                 <meta name="viewport" content="width=device-width, initial-scale=1" />
+                {/* CSP - useful for testing our documented recommendations. NOTE: Unsafe is only needed for nextjs pre-loading */}
+                <meta
+                    http-equiv="Content-Security-Policy"
+                    content={`
+                    default-src 'self';
+                    connect-src 'self' ${localhostDomain} https://*.posthog.com;
+                    script-src 'self' 'unsafe-eval' 'unsafe-inline' ${localhostDomain} https://*.posthog.com;
+                    style-src 'self' 'unsafe-inline' ${localhostDomain} https://*.posthog.com;
+                    img-src 'self' ${localhostDomain} https://*.posthog.com;
+                `}
+                />
             </Head>
 
             <main>