Merge pull request #1780 from appwrite/fix-previews

Fix website previews
appwrite · Feb 18, 2025 · 8d8ca67 · 8d8ca67
2 parents 0677d7e + bd9d1f7
commit 8d8ca67
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 17 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -76,4 +76,4 @@ COPY --from=build /app/build/ build
 COPY --from=build /app/server/ server
 RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile --prod
 
-CMD [ "node", "server/main.js"]
+CMD [ "node", "server/main.js"]
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
@@ -38,24 +38,44 @@ const securityheaders: Handle = async ({ event, resolve }) => {
         }
     });
 
-    const cspDirectives = [
-        "default-src 'self'",
-        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.posthog.com https://*.plausible.io https://plausible.io",
-        "style-src 'self' 'unsafe-inline'",
-        "img-src 'self' data: https:",
-        "font-src 'self'",
-        "object-src 'none'",
-        "base-uri 'self'",
-        "form-action 'self'",
-        "frame-ancestors 'self' https://www.youtube.com https://*.vimeo.com",
-        'block-all-mixed-content',
-        'upgrade-insecure-requests',
-        "connect-src 'self' https://*.appwrite.io https://*.appwrite.org https://*.posthog.com https://*.sentry.io https://*.plausible.io https://plausible.io",
-        "frame-src 'self' https://www.youtube.com https://status.appwrite.online https://www.youtube-nocookie.com https://player.vimeo.com"
-    ];
+    // `true` if deployed via Coolify.
+    const isPreview = !!process.env.COOLIFY_FQDN;
+    // COOLIFY_FQDN already includes `http`.
+    const previewDomain = isPreview ? `${process.env.COOLIFY_FQDN}` : null;
+
+    const cspDirectives: Record<string, string> = {
+        'default-src': "'self'",
+        'script-src':
+            "'self' 'unsafe-inline' 'unsafe-eval' https://*.posthog.com https://*.plausible.io https://plausible.io",
+        'style-src': "'self' 'unsafe-inline'",
+        'img-src': "'self' data: https:",
+        'font-src': "'self'",
+        'object-src': "'none'",
+        'base-uri': "'self'",
+        'form-action': "'self'",
+        'frame-ancestors': "'self' https://www.youtube.com https://*.vimeo.com",
+        'block-all-mixed-content': '',
+        'upgrade-insecure-requests': '',
+        'connect-src':
+            "'self' https://*.appwrite.io https://*.appwrite.org https://*.posthog.com https://*.sentry.io https://*.plausible.io https://plausible.io",
+        'frame-src':
+            "'self' https://www.youtube.com https://status.appwrite.online https://www.youtube-nocookie.com https://player.vimeo.com"
+    };
+
+    if (isPreview) {
+        ['default-src', 'script-src', 'style-src', 'img-src', 'font-src', 'connect-src'].forEach(
+            (key) => {
+                cspDirectives[key] += ` ${previewDomain}`;
+            }
+        );
+    }
+
+    const cspDirectivesString = Object.entries(cspDirectives)
+        .map(([key, value]) => `${key} ${value}`.trim())
+        .join('; ');
 
     // Set security headers
-    response.headers.set('Content-Security-Policy', cspDirectives.join('; '));
+    response.headers.set('Content-Security-Policy', cspDirectivesString);
 
     // HTTP Strict Transport Security
     // max-age is set to 1 year in seconds