From 8ec303295c7b5799c15ad1a28965a367162ca3bc Mon Sep 17 00:00:00 2001
From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com>
Date: Wed, 15 Apr 2026 08:55:11 +0000
Subject: [PATCH] fix: add CSP headers to allow connections to *.objectstack.ai
 domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The CSP policy was blocking connections to https://demo.objectstack.ai
because it only allowed https://*.objectstack.io. This adds explicit
CSP headers in vercel.json to allow both *.objectstack.io and
*.objectstack.ai domains in the connect-src directive.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>
---
 apps/studio/vercel.json | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/apps/studio/vercel.json b/apps/studio/vercel.json
index 96e8daf72..a05ca1b17 100644
--- a/apps/studio/vercel.json
+++ b/apps/studio/vercel.json
@@ -17,6 +17,15 @@
     }
   },
   "headers": [
+    {
+      "source": "/(.*)",
+      "headers": [
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https:; connect-src 'self' ws: wss: http://localhost:* https://*.objectstack.io https://*.objectstack.ai https://*.sentry.io"
+        }
+      ]
+    },
     {
       "source": "/assets/(.*)",
       "headers": [