fix: add blob: to CSP for Monaco Editor web workers

batalabs · batalabs · commit 7a4d7d7f2fac · 2025-11-04T20:18:34.000-05:00
diff --git a/nginx.conf.template b/nginx.conf.template
@@ -39,7 +39,7 @@ http {
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Content-Type-Options "nosniff" always;
         add_header X-XSS-Protection "1; mode=block" always;
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://clerk.typelets.com https://*.clerk.accounts.dev https://static.cloudflareinsights.com https://cdn.jsdelivr.net; script-src-elem 'self' 'unsafe-inline' https://clerk.typelets.com https://*.clerk.accounts.dev https://static.cloudflareinsights.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://clerk.typelets.com https://fonts.googleapis.com https://cdn.jsdelivr.net; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com https://clerk.typelets.com https://cdn.jsdelivr.net; img-src 'self' data: https: blob:; font-src 'self' data: https://clerk.typelets.com https://fonts.gstatic.com https://cdn.jsdelivr.net; connect-src 'self' https://clerk.typelets.com https://*.clerk.accounts.dev https://cloudflareinsights.com wss://ws-api.typelets.com https://api.typelets.com; frame-src 'self' https://clerk.typelets.com https://*.clerk.accounts.dev https://challenges.cloudflare.com; worker-src 'self' blob:;" always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://clerk.typelets.com https://*.clerk.accounts.dev https://static.cloudflareinsights.com https://cdn.jsdelivr.net blob:; script-src-elem 'self' 'unsafe-inline' https://clerk.typelets.com https://*.clerk.accounts.dev https://static.cloudflareinsights.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://clerk.typelets.com https://fonts.googleapis.com https://cdn.jsdelivr.net; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com https://clerk.typelets.com https://cdn.jsdelivr.net; img-src 'self' data: https: blob:; font-src 'self' data: https://clerk.typelets.com https://fonts.gstatic.com https://cdn.jsdelivr.net; connect-src 'self' https://clerk.typelets.com https://*.clerk.accounts.dev https://cloudflareinsights.com wss://ws-api.typelets.com https://api.typelets.com blob:; frame-src 'self' https://clerk.typelets.com https://*.clerk.accounts.dev https://challenges.cloudflare.com; worker-src 'self' blob:; child-src 'self' blob:;" always;
 
         # === Proxy API requests to backend service ===
         location /api/ {
