fix(csp): add missing analytics domains, remove unsafe-eval, fix workspace CSP gap

[waleedlatif1]

Summary

• Add missing CSP domains for Google Analytics (analytics.google.com, www.google.com) and Ahrefs (analytics.ahrefs.com) that were causing console violations on sim.ai
• Extract shared STATIC_* constants so build-time and runtime CSP compose from a single source of truth — no more duplicate domain lists that drift apart
• Remove unsafe-eval from script-src — nothing in the app uses eval() and the workflow execution endpoint already has its own permissive CSP
• Fix bug where /workspace/* routes had no CSP header at all (middleware returned early before setting it, and next.config.ts excluded them)
• Fix route overlap where /login and /signup got redundant CSP from both middleware and next.config.ts

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 15, 2026 6:44am

[cursor]

PR Summary

Medium Risk
Touches CSP and security headers across middleware and next.config.ts, which can easily break third-party scripts/embeds or block needed network calls if misconfigured. Changes are localized but affect most page responses.

Overview
Unifies CSP configuration by extracting shared STATIC_* source lists and composing both build-time and runtime policies from the same directives, replacing the previous hand-built runtime CSP string.

Adjusts allowed sources by removing unsafe-eval from script-src, expanding frame-src to a broader set of embed providers, and adding missing analytics domains (Google/Ahrefs) plus a few additional image/connect domains.

Fixes header application gaps/overlap by having middleware (proxy.ts) set CSP + nosniff + SAMEORIGIN on /workspace/*, /login, /signup, and /, and updating next.config.ts route header patterns to exclude those paths from duplicate header injection.

^{Reviewed by Cursor Bugbot for commit f7aeaf6. Configure here.}

[greptile-apps]

Greptile Summary

This PR centralizes CSP configuration into STATIC_* constants shared by both build-time and runtime paths, adds missing analytics domains (analytics.google.com, www.google.com, analytics.ahrefs.com), removes unsafe-eval from script-src, and fixes a gap where /workspace/*, /login, /signup, and / routes received no CSP header from middleware. The next.config.ts catch-all exclusion pattern is updated to avoid double-header conflicts on the newly covered routes.

Confidence Score: 5/5

Safe to merge — all route/CSP logic is correct, no double-header conflicts, and the unsafe-eval removal is conservative and intentional.

No P0 or P1 issues found. The STATIC_* refactor correctly deduplicates domain lists, the catch-all negative-lookahead regex properly excludes all middleware-owned routes (including root via $), both explicit analytics.google.com and *.analytics.google.com entries in connect-src are non-redundant (wildcard excludes the apex), and workspace/login/signup/root pages now correctly receive runtime CSP via generateRuntimeCSP().

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/lib/core/security/csp.ts	Refactored to extract STATIC_* constants and add generateRuntimeCSP() for request-time env var resolution; safe, well-structured change with no logic bugs.
apps/sim/next.config.ts	Catch-all CSP header source pattern updated to exclude workspace, login, signup, and root (via $) from getMainCSPPolicy() since middleware now owns those routes; overlap is correctly resolved.
apps/sim/proxy.ts	CSP headers now correctly set on /login, /signup, /workspace/*, and / via generateRuntimeCSP(); X-Content-Type-Options and X-Frame-Options added consistently across all newly covered routes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    REQ[Incoming Request] --> MATCH{Route?}

    MATCH -->|"/ (root)"| ROOT["middleware: generateRuntimeCSP()"]
    MATCH -->|"/login or /signup"| AUTH_ROUTE["middleware: generateRuntimeCSP()"]
    MATCH -->|"/workspace/* (authenticated)"| WS["middleware: generateRuntimeCSP()"]
    MATCH -->|"/workspace/*/templates"| WS_TEMPL["middleware: NextResponse.next()\n(no CSP — public page)"]
    MATCH -->|"/chat/* or /form/*"| EMBED["next.config.ts:\ngetChatEmbedCSPPolicy()\ngetFormEmbedCSPPolicy()"]
    MATCH -->|"/api/workflows/:id/execute"| EXEC["next.config.ts:\ngetWorkflowExecutionCSPPolicy()\n(unsafe-eval retained)"]
    MATCH -->|"Other routes\n(e.g. /templates, /api/*)"| CATCH["next.config.ts catch-all:\ngetMainCSPPolicy()"]

    ROOT --> CSP1["Content-Security-Policy\n(runtime env vars via getEnv)"]
    AUTH_ROUTE --> CSP1
    WS --> CSP1
    EMBED --> CSP2["Content-Security-Policy\n(build-time + frame-ancestors: *)"]
    EXEC --> CSP3["default-src * unsafe-inline unsafe-eval"]
    CATCH --> CSP4["Content-Security-Policy\n(build-time env vars)"]

Loading

_{Reviews (2): Last reviewed commit: "fix(csp): add missing analytics domains,..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit f7aeaf6. Configure here.}