From cfa69b814606699e87367c0b3be1faab4ecdb45c Mon Sep 17 00:00:00 2001
From: Victorien Gauch <85494462+VGau@users.noreply.github.com>
Date: Wed, 18 Jun 2025 16:20:30 +0200
Subject: [PATCH] fix: update csp headers in bridge ui (#1183)

---
 bridge-ui/src/middleware.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bridge-ui/src/middleware.ts b/bridge-ui/src/middleware.ts
index 3d469c5f..357ede36 100644
--- a/bridge-ui/src/middleware.ts
+++ b/bridge-ui/src/middleware.ts
@@ -6,7 +6,8 @@ export function middleware(request: NextRequest) {
 
   // We only want to allow unsafe-eval in local environment for NextJS dev server
   // We are required to use unsafe-inline with Cloudflare - https://developers.cloudflare.com/fundamentals/reference/policies-compliances/content-security-policies/#product-requirements
-  const unsafeScript = process.env.NEXT_PUBLIC_ENVIRONMENT === "local" ? "'unsafe-eval'" : "'unsafe-inline'";
+  // TODO: Remove unsafe-eval in production and replace with 'unsafe-inline'
+  const unsafeScript = process.env.NEXT_PUBLIC_ENVIRONMENT === "local" ? "'unsafe-eval'" : "'unsafe-eval'";
 
   /**
    * Content Security Policy (CSP) configuration: