Skip to content

Commit 27e3cf8

Browse files
committed
fix(analytics): apply runtime CSP to all landing pages, not just /
GTM/GA4 script-src and connect-src allowlist entries are gated behind isHosted, which next.config.ts's build-time CSP bakes in from whatever NEXT_PUBLIC_APP_URL was resolved at build/boot time. Only the homepage route was overridden with the request-time CSP in proxy.ts, so every other landing page (including /demo) silently lost the googletagmanager.com/google-analytics.com allowlist and GTM never fired.
1 parent 8bc0d97 commit 27e3cf8

1 file changed

Lines changed: 9 additions & 5 deletions

File tree

apps/sim/proxy.ts

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -283,11 +283,15 @@ export async function proxy(request: NextRequest) {
283283
const response = NextResponse.next()
284284
response.headers.set('Vary', 'User-Agent')
285285

286-
if (url.pathname === '/') {
287-
response.headers.set('Content-Security-Policy', generateRuntimeCSP())
288-
response.headers.set('X-Content-Type-Options', 'nosniff')
289-
response.headers.set('X-Frame-Options', 'SAMEORIGIN')
290-
}
286+
// Every remaining matched route (landing/marketing pages, /demo, /pricing, etc.)
287+
// needs the runtime CSP, not next.config.ts's build-time policy — the build-time
288+
// policy bakes `isHosted` from whatever NEXT_PUBLIC_APP_URL was available at
289+
// build/boot time, which silently drops the googletagmanager.com/google-analytics.com
290+
// allowlist entries when that value wasn't resolved yet. Previously only '/' got this
291+
// override, so GTM/GA loaded on the homepage but was CSP-blocked everywhere else.
292+
response.headers.set('Content-Security-Policy', generateRuntimeCSP())
293+
response.headers.set('X-Content-Type-Options', 'nosniff')
294+
response.headers.set('X-Frame-Options', 'SAMEORIGIN')
291295

292296
return track(request, response)
293297
}

0 commit comments

Comments
 (0)