🔒️ improve security headers, support for articles too

next.config.js

@@ -24,6 +24,8 @@ const baseSecurityHeaders = [
   },
 ]
 
+const articlesAllowedDomains = "https://*.spotify.com/ https://spotify.com https://*.youtube.com/ https://youtube.com https://*.twitter.com/ https://twitter.com"
+
 
 /** @type {import('next').NextConfig} */
 module.exports = withBundleAnalyzer({
@@ -40,7 +42,7 @@ module.exports = withBundleAnalyzer({
         headers: [
           {
             key: "Content-Security-Policy",
-            value: `frame-ancestors 'self'; frame-src ${process.env.NEXT_PUBLIC_IPFS_GATEWAY_SAFE};`
+            value: `frame-ancestors 'self'; frame-src ${process.env.NEXT_PUBLIC_IPFS_GATEWAY_SAFE} ${articlesAllowedDomains} 'self';`
           },
           ...baseSecurityHeaders,
         ]
@@ -54,15 +56,6 @@ module.exports = withBundleAnalyzer({
           }
         ]
       },
-      {
-        source: "/sandbox",
-        headers: [
-          {
-            key: "Content-Security-Policy",
-            value: `frame-ancestors 'self';`
-          },
-        ]
-      },
       {
         source: "/sandbox/preview.html",
         headers: [

src/components/NFTArticle/elements/Embed/EmbedSpotify.tsx

@@ -13,6 +13,7 @@ const EmbedSpotify = memo<EmbedElementProps>(({ href }) => {
         className={style.spotify}
         src={src} width="660px"
         height="380" frameBorder="0"
+        sandbox="allow-same-origin allow-scripts"
         allow="autoplay; clipboard-write; encrypted-media; fullscreen; picture-in-picture">
       </iframe>
     </div>

src/components/NFTArticle/elements/Embed/EmbedYoutube.tsx

@@ -18,6 +18,7 @@ const EmbedYoutube = memo<EmbedElementProps>(({ href }) => {
         src={embedUrl}
         title="YouTube video player"
         frameBorder="0"
+        sandbox="allow-same-origin allow-scripts"
         allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; fullscreen"
       >
       </iframe>