Skip to content

fix(console-ui): allow full Privy/WalletConnect/Turnstile stack in CSP #456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Gajesh2007 merged 3 commits into from
Jun 23, 2026
+11 −5
Merged

fix(console-ui): allow full Privy/WalletConnect/Turnstile stack in CSP #456

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c6062cd
fix(console-ui): allow WalletConnect domains in CSP connect-src
Gajesh2007 Jun 23, 2026
6a92515
fix(console-ui): allow full Privy/WalletConnect/Turnstile stack in CSP
Gajesh2007 Jun 23, 2026
ef744cb
Merge branch 'master' into fix/csp-walletconnect-connect-src
Gajesh2007 Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions console-ui/next.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,22 @@ import type { NextConfig } from "next";
// - 'unsafe-inline' for style-src: required by Next.js for injected styles.
// - 'unsafe-inline' + 'unsafe-eval' for script-src: required by Privy SDK
// and Next.js dev mode. Tighten to nonce-based CSP when feasible.
// - connect-src: coordinator API, Privy auth, Google Analytics, Stripe.
// - frame-src: Privy auth iframes, Stripe Checkout iframes.
// - script-src: GA/GTM, Stripe.js, Cloudflare Turnstile (Privy captcha).
// - connect-src: coordinator API, Privy auth + RPC, WalletConnect/WalletLink
// relays & explorer, Google Analytics, Stripe.
// - frame-src / child-src: Privy auth iframe, WalletConnect verify iframes,
// Cloudflare Turnstile, Stripe Checkout.
// - worker-src: app workers (Privy/wagmi may spawn blob: workers).
const cspDirectives = [
"default-src 'self'",
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://js.stripe.com",
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://js.stripe.com https://challenges.cloudflare.com",

@ethenotethan ethenotethan Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 [MEDIUM] 🔒 CSP allows 'unsafe-eval' in script-src which enables code injection

💡 Suggestion: Replace 'unsafe-eval' with nonce-based CSP or strict-dynamic when feasible. Consider if Privy SDK truly requires eval() or if alternatives exist.

📊 Score: 3×4 = 12 · Category: unsafe-eval

@ethenotethan ethenotethan Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 [MEDIUM] 🔒 CSP allows 'unsafe-inline' in script-src which enables XSS

💡 Suggestion: Replace 'unsafe-inline' with nonce-based CSP or strict-dynamic. Use CSP nonces for legitimate inline scripts.

📊 Score: 3×4 = 12 · Category: unsafe-inline

"style-src 'self' 'unsafe-inline'",

@ethenotethan ethenotethan Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [INFO] 🧩 CSP connect-src line becoming unwieldy with many domain wildcards

💡 Suggestion: Consider extracting CSP domains to a separate constant or config object to improve readability and maintainability

📊 Score: 2×3 = 6 · Category: over-configuration

"img-src 'self' data: blob: https:",
"font-src 'self' data:",
"connect-src 'self' https://api.darkbloom.dev https://*.privy.io wss://*.privy.io https://www.google-analytics.com https://api.stripe.com",
"frame-src https://auth.privy.io https://js.stripe.com",
"connect-src 'self' https://api.darkbloom.dev https://*.privy.io wss://*.privy.io https://*.rpc.privy.systems https://www.google-analytics.com https://api.stripe.com https://*.walletconnect.com wss://*.walletconnect.com https://*.walletconnect.org wss://*.walletconnect.org wss://www.walletlink.org",
"frame-src 'self' https://auth.privy.io https://js.stripe.com https://challenges.cloudflare.com https://verify.walletconnect.com https://verify.walletconnect.org",
"child-src 'self' https://auth.privy.io https://verify.walletconnect.com https://verify.walletconnect.org",
"worker-src 'self' blob:",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
Expand Down
Loading