From ec408417c266a980c63ba23712596a8430ab0048 Mon Sep 17 00:00:00 2001
From: Gao Sun <gao@silverhand.io>
Date: Wed, 31 Jul 2024 20:47:40 +0800
Subject: [PATCH] refactor(core): allow cloudflare csp

---
 packages/core/src/middleware/koa-security-headers.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/packages/core/src/middleware/koa-security-headers.ts b/packages/core/src/middleware/koa-security-headers.ts
index 00cfa54e816..0847353c745 100644
--- a/packages/core/src/middleware/koa-security-headers.ts
+++ b/packages/core/src/middleware/koa-security-headers.ts
@@ -105,6 +105,9 @@ export default function koaSecurityHeaders<StateT, ContextT, ResponseBodyT>(
           "'self'",
           "'unsafe-inline'",
           `${gsiOrigin}client`,
+          // Some of our users may use the Cloudflare Web Analytics service. We need to allow it to
+          // load its scripts.
+          'https://static.cloudflareinsights.com/',
           ...conditionalArray(!isProduction && "'unsafe-eval'"),
         ],
         connectSrc: ["'self'", gsiOrigin, tenantEndpointOrigin, ...developmentOrigins],