Solvro · qamarq · Feb 12, 2025 · Feb 12, 2025
diff --git a/frontend/src/app/api/callback/route.ts b/frontend/src/app/api/callback/route.ts
@@ -74,14 +74,14 @@ export const GET = async (request: NextRequest) => {
     maxAge: 60 * 60 * 24 * 7,
     httpOnly: true,
     secure: true,
-    sameSite: "strict",
+    sameSite: "lax",
   });
   cookies.set("access_token_secret", access_token.secret, {
     path: "/",
     maxAge: 60 * 60 * 24 * 7,
     httpOnly: true,
     secure: true,
-    sameSite: "strict",
+    sameSite: "lax",
   });
 
   await auth(tokens);

diff --git a/frontend/src/app/api/login/route.ts b/frontend/src/app/api/login/route.ts
@@ -29,15 +29,15 @@ export async function GET() {
     maxAge: 60 * 60 * 24 * 7,
     httpOnly: true,
     secure: true,
-    sameSite: "strict",
+    sameSite: "lax",
   });
 
   cookies.set("oauth_token_secret", token.secret, {
     path: "/",
     maxAge: 60 * 60 * 24 * 7,
     httpOnly: true,
     secure: true,
-    sameSite: "strict",
+    sameSite: "lax",
   });
 
   return redirect(

diff --git a/frontend/src/app/layout.tsx b/frontend/src/app/layout.tsx
@@ -1,5 +1,6 @@
 import type { Metadata } from "next";
 import { Space_Grotesk } from "next/font/google";
+import { headers } from "next/headers";
 import Script from "next/script";
 import type React from "react";
 
@@ -98,6 +99,8 @@ export default async function RootLayout({
   children: React.ReactNode;
 }) {
   const user = await auth({ disableThrow: true });
+  const headersList = await headers();
+  const nonce = headersList.get("x-nonce");
 
   return (
     <html lang="pl" suppressHydrationWarning={true} className="scroll-smooth">
@@ -118,6 +121,7 @@ export default async function RootLayout({
               src="https://analytics.solvro.pl/script.js"
               data-website-id="ab126a0c-c0ab-401b-bf9d-da652aab69ec"
               data-domains="planer.solvro.pl"
+              nonce={nonce ?? undefined}
             />
             <Toaster richColors={true} />
           </body>

diff --git a/frontend/src/lib/auth/index.ts b/frontend/src/lib/auth/index.ts
@@ -149,7 +149,7 @@ export const auth = async (tokens?: {
             maxAge: 60 * 60 * 24 * 7,
             httpOnly: false,
             secure: true,
-            sameSite: "strict",
+            sameSite: "lax",
           });
         } else if (ADONIS_COOKIES.has(name)) {
           cookies.set({
@@ -159,7 +159,7 @@ export const auth = async (tokens?: {
             maxAge: 60 * 60 * 24 * 7,
             httpOnly: true,
             secure: true,
-            sameSite: "strict",
+            sameSite: "lax",
           });
         }
       }

diff --git a/frontend/src/middleware.ts b/frontend/src/middleware.ts
@@ -4,6 +4,42 @@ import { NextResponse } from "next/server";
 import { auth } from "./lib/auth";
 
 export async function middleware(request: NextRequest) {
+  const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
+  const cspHeader = `
+    default-src 'self' 'nonce-${nonce}' https://fonts.googleapis.com https://fonts.gstatic.com https://analytics.solvro.pl;
+    script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${process.env.NODE_ENV === "development" ? "'unsafe-eval'" : ""} https://analytics.solvro.pl;
+    style-src 'self' 'unsafe-inline';
+    img-src 'self' blob: data: https://avatars.githubusercontent.com https://wit.pwr.edu.pl https://cms.solvro.pl https://apps.usos.pwr.edu.pl;
+    font-src 'self';
+    object-src 'none';
+    base-uri 'self';
+    form-action 'self';
+    frame-ancestors 'none';
+    upgrade-insecure-requests;
+  `;
+
+  const contentSecurityPolicyHeaderValue = cspHeader
+    .replaceAll(/\s{2,}/g, " ")
+    .trim();
+
+  const requestHeaders = new Headers(request.headers);
+  requestHeaders.set("x-nonce", nonce);
+
+  requestHeaders.set(
+    "Content-Security-Policy",
+    contentSecurityPolicyHeaderValue,
+  );
+
+  const nextResponse = NextResponse.next({
+    request: {
+      headers: requestHeaders,
+    },
+  });
+  nextResponse.headers.set(
+    "Content-Security-Policy",
+    contentSecurityPolicyHeaderValue,
+  );
+
   const tokens = {
     token: request.cookies.get("access_token")?.value,
     secret: request.cookies.get("access_token_secret")?.value,
@@ -14,12 +50,12 @@ export async function middleware(request: NextRequest) {
   const user = await auth(tokens);
 
   if (!isProtectedRoute) {
-    return NextResponse.next();
+    return nextResponse;
   }
 
   if (user === null) {
     return NextResponse.redirect(new URL("/", request.url));
   }
 
-  return NextResponse.next();
+  return nextResponse;
 }