Refine CSP frame-src and connect-src configuration

gandalf_automationrequested to merge
refine-csp-config into develop

Summary

Cleanup of CSP configuration based on code analysis of how embeds are actually rendered.

Changes

Blog (frame-src)

Removed entries for domains that are redundant because the renderer normalizes URLs:

  • The 3speak embed code normalizes all variants to 3speak.tv (see ThreeSpeakEmbedder.ts:31 and StaticConfig.ts:98)
  • Removed unavailable embed subdomain entry

Wallet (connect-src)

  • Removed images.hive.blog - wallet only accesses this via server-side API routes (pages/api/avatar.ts), not client-side fetch calls

Testing

  • CSP is in Report-Only mode, so changes won't break functionality
  • Monitor CSP violation reports after deployment to verify no unexpected issues

Merge request reports