From fec1a727807b00c3029022b693786aa2c3f85d50 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Mon, 9 Oct 2023 21:11:05 -0400
Subject: [PATCH] fix: Remove zapier from CSP on self-hosted

---
 server/services/web.ts | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/server/services/web.ts b/server/services/web.ts
index 1fc015d7e..fcdd1cec3 100644
--- a/server/services/web.ts
+++ b/server/services/web.ts
@@ -26,19 +26,14 @@ const isProduction = env.ENVIRONMENT === "production";
 
 // Construct scripts CSP based on services in use by this installation
 const defaultSrc = ["'self'"];
-const scriptSrc = [
-  "'self'",
-  "gist.github.com",
-  "www.googletagmanager.com",
-  "cdn.zapier.com",
-];
+const scriptSrc = ["'self'", "gist.github.com", "www.googletagmanager.com"];
 
-const styleSrc = [
-  "'self'",
-  "'unsafe-inline'",
-  "github.githubassets.com",
-  "cdn.zapier.com",
-];
+const styleSrc = ["'self'", "'unsafe-inline'", "github.githubassets.com"];
+
+if (env.isCloudHosted) {
+  scriptSrc.push("cdn.zapier.com");
+  styleSrc.push("cdn.zapier.com");
+}
 
 // Allow to load assets from Vite
 if (!isProduction) {