update CSP for asset & metric domains

web/next.config.js

@@ -17,21 +17,25 @@ const peerDomain = `ws://${peerHost}`;
 
 const vercelCdnDomain = 'https://cdn.vercel-insights.com';
 
-const webVitalsDomain = 'https://vitals.vercel-insights.com';
-
 const vercelLiveDomain = 'https://vercel.live';
 
+const vercelMetricsDomains = [
+    'https://vitals.vercel-insights.com',
+    vercelLiveDomain,
+].join(' ');
+
 const captchaDomains = ['https://hcaptcha.com', 'https://*.hcaptcha.com'].join(
     ' ',
 );
 
 const sentryDomain = 'https://*.ingest.sentry.io';
 
 const githubAssetsDomain = 'https://avatars.githubusercontent.com';
+const googleAssetsDomain = 'https://lh3.googleusercontent.com';
 
-const imgDomains = [
+const assetsDomains = [
     'https://assets.vercel.com',
-    'https://lh3.googleusercontent.com',
+    googleAssetsDomain,
     githubAssetsDomain,
 ].join(' ');
 
@@ -43,11 +47,11 @@ const safeConfig = {
     frameOptions: 'DENY',
     permissionsPolicy: false,
     contentSecurityPolicy: {
-        'connect-src': `'self' ${peerDomain} ${webVitalsDomain} ${captchaDomains} ${sentryDomain} ${githubAssetsDomain}`,
+        'connect-src': `'self' ${peerDomain} ${vercelMetricsDomains} ${captchaDomains} ${sentryDomain} ${assetsDomains}`,
         'default-src': `'self'`,
         'font-src': `'self' data:`,
         'frame-src': `${vercelLiveDomain} ${captchaDomains}`,
-        'script-src': `'self' 'unsafe-inline' ${vercelLiveDomain} ${webVitalsDomain} ${vercelCdnDomain} ${captchaDomains}`,
+        'script-src': `'self' 'unsafe-inline' ${vercelMetricsDomains} ${vercelCdnDomain} ${captchaDomains}`,
         'style-src': `'self' 'unsafe-inline' ${captchaDomains}`,
         'img-src': `'self' data: ${imgDomains}`,
     },