From 5a7225ad839435110d12f1594e05684932824b8a Mon Sep 17 00:00:00 2001
From: Gandalf <gandalf@storm.pl>
Date: Mon, 5 Jan 2026 12:37:13 +0100
Subject: [PATCH] Refine CSP frame-src and connect-src configuration

Blog:
- Remove unused frame-src entries for domains that renderer
  normalizes to canonical URLs (3speak.tv handles all variants)
- Remove frame-src entry for unavailable embed subdomain

Wallet:
- Remove images.hive.blog from connect-src as wallet only
  accesses it via server-side API routes, not client-side fetch
---
 apps/blog/next.config.js   | 5 +++--
 apps/wallet/next.config.js | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/apps/blog/next.config.js b/apps/blog/next.config.js
index e3ebbfac4..c246b738d 100644
--- a/apps/blog/next.config.js
+++ b/apps/blog/next.config.js
@@ -58,8 +58,9 @@ const cspReportOnly = [
   // Only nodes running proper haf_api_node software are allowed
   "connect-src 'self' https://api.hive.blog https://api.syncad.com https://api.openhive.network https://images.hive.blog",
   // Embedded content: whitelist of allowed iframe sources
-  // Based on StaticConfig.ts iframe whitelist
-  "frame-src https://platform.twitter.com https://www.instagram.com https://player.vimeo.com https://www.youtube.com https://w.soundcloud.com https://player.twitch.tv https://open.spotify.com https://3speak.tv https://3speak.online https://3speak.co https://emb.d.tube https://odysee.com https://openhive.chat",
+  // Note: 3speak.online/co removed (compromised/spam), code normalizes to 3speak.tv
+  // Note: emb.d.tube removed (subdomain down, no renderer support)
+  "frame-src https://platform.twitter.com https://www.instagram.com https://player.vimeo.com https://www.youtube.com https://w.soundcloud.com https://player.twitch.tv https://open.spotify.com https://3speak.tv https://odysee.com https://openhive.chat",
   // Web Workers: self + blob (for HBAuth and service worker)
   "worker-src 'self' blob:",
   // Prevent site from being embedded in iframes (clickjacking protection)
diff --git a/apps/wallet/next.config.js b/apps/wallet/next.config.js
index c1434c49f..a179bf951 100644
--- a/apps/wallet/next.config.js
+++ b/apps/wallet/next.config.js
@@ -55,7 +55,8 @@ const cspReportOnly = [
   "font-src 'self' data:",
   // API connections: whitelist of trusted Hive API nodes and services
   // Only nodes running proper haf_api_node software are allowed
-  "connect-src 'self' https://api.hive.blog https://api.syncad.com https://api.openhive.network https://images.hive.blog",
+  // Note: images.hive.blog not needed - wallet only uses it server-side (API routes)
+  "connect-src 'self' https://api.hive.blog https://api.syncad.com https://api.openhive.network",
   // Embedded content: wallet has fewer embeds than blog
   "frame-src 'self'",
   // Web Workers: self + blob (for HBAuth and service worker)
-- 
GitLab