Hongming Wang 1bca58a01b fix(canvas): include NEXT_PUBLIC_PLATFORM_URL in CSP connect-src ... Tenant page loads were blocked by: Refused to connect to 'https://api.moleculesai.app/cp/auth/me' because it violates the document's Content Security Policy. CSP had `connect-src 'self' wss:` — fine for same-origin + any wss, but browser refuses cross-origin HTTPS fetches that aren't listed. PLATFORM_URL (baked from NEXT_PUBLIC_PLATFORM_URL, which is the CP origin on SaaS tenants) needs to be explicit. Fix: middleware reads NEXT_PUBLIC_PLATFORM_URL at build/runtime and adds both the https and wss siblings to connect-src. Self- hosted deploys that override the build-arg automatically get a matching CSP — no hardcoded hostname. Test added: buildCsp includes NEXT_PUBLIC_PLATFORM_URL origin in connect-src when set. Also loosens the dev `ws:` assertion since dev uses `connect-src *` which subsumes ws (pre-existing behavior, test was stale). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-04-20 12:55:03 -07:00
..
csp-nonce.test.ts	fix(canvas): include NEXT_PUBLIC_PLATFORM_URL in CSP connect-src	2026-04-20 12:55:03 -07:00
reduced-motion.test.ts	fix(canvas): address all code review findings on PR #482	2026-04-16 07:48:47 -07:00