Skip to content

fix: add CSP headers to allow connections to *.objectstack.ai domain#1149

Merged
hotlong merged 1 commit intomainfrom
claude/fix-cors-error-on-vercel-deployment
Apr 15, 2026
Merged

fix: add CSP headers to allow connections to *.objectstack.ai domain#1149
hotlong merged 1 commit intomainfrom
claude/fix-cors-error-on-vercel-deployment

Conversation

@Claude
Copy link
Copy Markdown
Contributor

@Claude Claude AI commented Apr 15, 2026

Vercel deployment was blocking client connections to https://demo.objectstack.ai/.well-known/objectstack with CSP violation. The existing policy only allowed *.objectstack.io domains.

Changes

  • Added explicit Content-Security-Policy header in apps/studio/vercel.json
  • Extended connect-src directive to include https://*.objectstack.ai alongside existing *.objectstack.io
  • Applied CSP to all routes via /(.*) source pattern

CSP Policy

connect-src 'self' ws: wss: http://localhost:* https://*.objectstack.io https://*.objectstack.ai https://*.sentry.io

This allows the client discovery mechanism to probe both production (.io) and demo (.ai) domains during connection initialization.

@Claude @hotlong
fix: add CSP headers to allow connections to *.objectstack.ai domain
8ec3032 
The CSP policy was blocking connections to https://demo.objectstack.ai
because it only allowed https://*.objectstack.io. This adds explicit
CSP headers in vercel.json to allow both *.objectstack.io and
*.objectstack.ai domains in the connect-src directive.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>
@Claude Claude AI assigned Claude and hotlong Apr 15, 2026
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 15, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
objectstack-demo Building Building Preview, Comment Apr 15, 2026 8:56am
spec Building Building Preview, Comment Apr 15, 2026 8:56am

Request Review

@hotlong hotlong marked this pull request as ready for review April 15, 2026 08:56
Copilot AI review requested due to automatic review settings April 15, 2026 08:56
@hotlong hotlong merged commit 3b36a95 into main Apr 15, 2026
8 of 12 checks passed
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Vercel-level Content Security Policy for Studio to unblock client-side discovery/connection flows to *.objectstack.ai (in addition to existing *.objectstack.io) during initialization.

Changes:

  • Adds a Content-Security-Policy response header in apps/studio/vercel.json.
  • Extends connect-src to allow https://*.objectstack.ai.
  • Applies the header broadly via source: "/(.*)".

Comment thread apps/studio/vercel.json
"headers": [
{
"key": "Content-Security-Policy",
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https:; connect-src 'self' ws: wss: http://localhost:* https://*.objectstack.io https://*.objectstack.ai https://*.sentry.io"
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CSP enables script-src 'unsafe-inline' and especially 'unsafe-eval', which significantly weakens XSS protections. If these aren’t strictly required, prefer a tighter policy (e.g., rely on default-src 'self' and only customize connect-src, or use nonces/hashes instead of unsafe-*).

Suggested change
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https:; connect-src 'self' ws: wss: http://localhost:* https://*.objectstack.io https://*.objectstack.ai https://*.sentry.io"
"value": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https:; connect-src 'self' ws: wss: http://localhost:* https://*.objectstack.io https://*.objectstack.ai https://*.sentry.io"

Copilot uses AI. Check for mistakes.
Comment thread apps/studio/vercel.json
},
"headers": [
{
"source": "/(.*)",
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

source: "/(.*)" applies the CSP header to every request (including /assets/* and /api/*). Consider scoping CSP to document routes only (e.g., exclude /assets/ and /api/ with a negative lookahead similar to the rewrite rule) to avoid adding CSP headers to non-document responses.

Suggested change
"source": "/(.*)",
"source": "/((?!api/|assets/).*)",

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@hotlong hotlong

@Claude Claude

Labels

size/xs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Claude @hotlong