From 7431c91ca28781908fb8baa575827b37683366d5 Mon Sep 17 00:00:00 2001
From: Victorien Gauch <85494462+VGau@users.noreply.github.com>
Date: Wed, 18 Jun 2025 17:25:48 +0200
Subject: [PATCH] Fix: update csp headers in bridge ui (#1187)

* fix: update csp headers in bridge ui

* fix: update csp headers in bridge ui
---
 bridge-ui/src/middleware.ts | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/bridge-ui/src/middleware.ts b/bridge-ui/src/middleware.ts
index 357ede36..4bffde57 100644
--- a/bridge-ui/src/middleware.ts
+++ b/bridge-ui/src/middleware.ts
@@ -7,7 +7,7 @@ export function middleware(request: NextRequest) {
   // We only want to allow unsafe-eval in local environment for NextJS dev server
   // We are required to use unsafe-inline with Cloudflare - https://developers.cloudflare.com/fundamentals/reference/policies-compliances/content-security-policies/#product-requirements
   // TODO: Remove unsafe-eval in production and replace with 'unsafe-inline'
-  const unsafeScript = process.env.NEXT_PUBLIC_ENVIRONMENT === "local" ? "'unsafe-eval'" : "'unsafe-eval'";
+  // const unsafeScript = process.env.NEXT_PUBLIC_ENVIRONMENT === "local" ? "'unsafe-eval'" : "'unsafe-eval'";
 
   /**
    * Content Security Policy (CSP) configuration:
@@ -54,8 +54,7 @@ export function middleware(request: NextRequest) {
    */
   const cspHeader = `
     default-src 'self';
-    script-src 'self' 'nonce-${nonce}' ${unsafeScript} https://bridge.linea.build https://bridge-devnet.linea.build 
-https://www.googletagmanager.com/gtm.js https://widget.intercom.io/widget/h5zisg78;
+    script-src 'self' 'nonce-${nonce}' https://www.googletagmanager.com/gtm.js https://widget.intercom.io/widget/h5zisg78 https://ajax.cloudflare.com https://js.intercomcdn.com;
     style-src 'self' 'unsafe-inline';
     img-src 'self' blob: data: https:;
     font-src 'self' data: https://cdn.jsdelivr.net;