From 2f28155595197fedff9e039d28d1cfb6834f9383 Mon Sep 17 00:00:00 2001 From: waleed Date: Fri, 1 May 2026 18:11:05 -0700 Subject: [PATCH 1/4] fix(csp): allow https images in markdown preview and html sandbox --- .../components/file-viewer/preview-panel.tsx | 2 +- apps/sim/lib/core/security/csp.ts | 18 +----------------- 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx b/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx index bf9794f1ada..8db5d438a6d 100644 --- a/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx +++ b/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx @@ -734,7 +734,7 @@ const HTML_PREVIEW_CSP = [ "default-src 'none'", "script-src 'unsafe-inline'", "style-src 'unsafe-inline'", - 'img-src data: blob:', + "img-src 'self' https: data: blob:", 'font-src data:', 'media-src data: blob:', "connect-src 'none'", diff --git a/apps/sim/lib/core/security/csp.ts b/apps/sim/lib/core/security/csp.ts index 9ee4ff34b03..3e0e380f27a 100644 --- a/apps/sim/lib/core/security/csp.ts +++ b/apps/sim/lib/core/security/csp.ts @@ -61,23 +61,7 @@ const STATIC_SCRIPT_SRC = [ : []), ] as const -const STATIC_IMG_SRC = [ - "'self'", - 'data:', - 'blob:', - 'https://*.googleusercontent.com', - 'https://*.google.com', - 'https://*.atlassian.com', - 'https://cdn.discordapp.com', - 'https://*.githubusercontent.com', - 'https://*.s3.amazonaws.com', - 'https://s3.amazonaws.com', - 'https://*.amazonaws.com', - 'https://*.blob.core.windows.net', - 'https://github.com/*', - 'https://cursor.com', - ...(isHosted ? ['https://www.googletagmanager.com', 'https://www.google-analytics.com'] : []), -] as const +const STATIC_IMG_SRC = ["'self'", 'data:', 'blob:', 'https:'] as const const STATIC_CONNECT_SRC = [ "'self'", From a3905af3ef1a585a5d3885f74e2d06a6c212a875 Mon Sep 17 00:00:00 2001 From: waleed Date: Fri, 1 May 2026 18:15:32 -0700 Subject: [PATCH 2/4] fix(csp): remove inoperative self token from sandboxed html preview img-src --- .../files/components/file-viewer/preview-panel.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx b/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx index 8db5d438a6d..bcc9402e11a 100644 --- a/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx +++ b/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx @@ -734,7 +734,7 @@ const HTML_PREVIEW_CSP = [ "default-src 'none'", "script-src 'unsafe-inline'", "style-src 'unsafe-inline'", - "img-src 'self' https: data: blob:", + 'img-src https: data: blob:', 'font-src data:', 'media-src data: blob:', "connect-src 'none'", From 7a18f1fec2db2d6cd5b0da9586a4f28c0e0265d8 Mon Sep 17 00:00:00 2001 From: waleed Date: Fri, 1 May 2026 18:27:27 -0700 Subject: [PATCH 3/4] chore(csp): remove redundant img-src entries superseded by https scheme --- apps/sim/lib/core/security/csp.ts | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/apps/sim/lib/core/security/csp.ts b/apps/sim/lib/core/security/csp.ts index 3e0e380f27a..ea5e7e7f719 100644 --- a/apps/sim/lib/core/security/csp.ts +++ b/apps/sim/lib/core/security/csp.ts @@ -131,20 +131,7 @@ export const buildTimeCSPDirectives: CSPDirectives = { 'script-src': [...STATIC_SCRIPT_SRC], 'style-src': ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com'], - 'img-src': [ - ...STATIC_IMG_SRC, - ...(env.S3_BUCKET_NAME && env.AWS_REGION - ? [`https://${env.S3_BUCKET_NAME}.s3.${env.AWS_REGION}.amazonaws.com`] - : []), - ...(env.S3_KB_BUCKET_NAME && env.AWS_REGION - ? [`https://${env.S3_KB_BUCKET_NAME}.s3.${env.AWS_REGION}.amazonaws.com`] - : []), - ...(env.S3_CHAT_BUCKET_NAME && env.AWS_REGION - ? [`https://${env.S3_CHAT_BUCKET_NAME}.s3.${env.AWS_REGION}.amazonaws.com`] - : []), - ...getHostnameFromUrl(env.NEXT_PUBLIC_BRAND_LOGO_URL), - ...getHostnameFromUrl(env.NEXT_PUBLIC_BRAND_FAVICON_URL), - ], + 'img-src': [...STATIC_IMG_SRC], 'media-src': ["'self'", 'blob:'], 'worker-src': ["'self'", 'blob:'], @@ -200,14 +187,13 @@ export function generateRuntimeCSP(): string { const ollamaUrl = getEnv('OLLAMA_URL') || (isDev ? DEFAULT_OLLAMA_URL : '') const brandLogoDomains = getHostnameFromUrl(getEnv('NEXT_PUBLIC_BRAND_LOGO_URL')) - const brandFaviconDomains = getHostnameFromUrl(getEnv('NEXT_PUBLIC_BRAND_FAVICON_URL')) const privacyDomains = getHostnameFromUrl(getEnv('NEXT_PUBLIC_PRIVACY_URL')) const termsDomains = getHostnameFromUrl(getEnv('NEXT_PUBLIC_TERMS_URL')) const runtimeDirectives: CSPDirectives = { ...buildTimeCSPDirectives, - 'img-src': [...STATIC_IMG_SRC, ...brandLogoDomains, ...brandFaviconDomains], + 'img-src': [...STATIC_IMG_SRC], 'connect-src': [ ...STATIC_CONNECT_SRC, From 4c085197ae2bb1537ffcd465988ae131c5d7ed3d Mon Sep 17 00:00:00 2001 From: waleed Date: Fri, 1 May 2026 18:31:53 -0700 Subject: [PATCH 4/4] fix(csp): revert html preview img-src to data: blob: to preserve connect-src none isolation --- .../files/components/file-viewer/preview-panel.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx b/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx index bcc9402e11a..bf9794f1ada 100644 --- a/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx +++ b/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/preview-panel.tsx @@ -734,7 +734,7 @@ const HTML_PREVIEW_CSP = [ "default-src 'none'", "script-src 'unsafe-inline'", "style-src 'unsafe-inline'", - 'img-src https: data: blob:', + 'img-src data: blob:', 'font-src data:', 'media-src data: blob:', "connect-src 'none'",