11import adapter from '@sveltejs/adapter-node' ;
22
3- /**
4- * Content-Security-Policy source allowlist. SvelteKit adds a nonce/hash to script-src on its own
5- * injected scripts (mode 'auto': nonce for SSR, hash for prerendered), so script-src stays free of
6- * 'unsafe-inline'. style-src keeps 'unsafe-inline' because the preview relies on dynamic inline
7- * style attributes; SvelteKit skips adding nonces to any directive that already has 'unsafe-inline'.
8- */
9- const cspDirectives = {
10- 'default-src' : [ "'self'" ] ,
11- 'script-src' : [ "'self'" , 'https://www.googletagmanager.com' , 'https://tally.so' ] ,
12- 'style-src' : [ "'self'" , "'unsafe-inline'" , 'https://fonts.googleapis.com' ] ,
13- 'font-src' : [ "'self'" , 'data:' , 'https://fonts.gstatic.com' ] ,
14- 'img-src' : [
15- "'self'" ,
16- 'data:' ,
17- 'blob:' ,
18- 'https://aligner.fra1.cdn.digitaloceanspaces.com' ,
19- 'https://www.google-analytics.com'
20- ] ,
21- 'connect-src' : [
22- "'self'" ,
23- 'https://www.googletagmanager.com' ,
24- 'https://*.google-analytics.com' ,
25- 'https://*.analytics.google.com' ,
26- 'https://fonts.gstatic.com'
27- ] ,
28- 'frame-src' : [ 'https://tally.so' ] ,
29- 'frame-ancestors' : [ "'self'" ] ,
30- 'base-uri' : [ "'self'" ] ,
31- 'form-action' : [ "'self'" ] ,
32- 'object-src' : [ "'none'" ] ,
33- 'report-uri' : [ '/api/csp-report' ]
34- } ;
35-
363/** @type {import('@sveltejs/kit').Config } */
374const config = {
385 compilerOptions : {
@@ -44,13 +11,6 @@ const config = {
4411 /** Canonical / og:url on prerendered routes (examples, privacy). Without this, build bakes `http://sveltekit-prerender/...`. */
4512 prerender : {
4613 origin : 'https://aligner.tinygods.dev'
47- } ,
48- // Report-only first: observe violations via /api/csp-report before enforcing. Flip
49- // `reportOnly` to `directives` once QA is clean (see the CSP task).
50- csp : {
51- mode : 'auto' ,
52- // reportOnly: cspDirectives
53- directives : cspDirectives
5414 }
5515 }
5616} ;
0 commit comments