From 202f3256fa1bb60a72322ca1c4c3b5e6ffca212a Mon Sep 17 00:00:00 2001
From: ertopogo <erwin.t.pombett@gmail.com>
Date: Thu, 19 Feb 2026 15:07:10 +0100
Subject: fix: CSP blocks resources on HTTP, conditional
 upgrade-insecure-requests

---
 src/middleware.ts | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/middleware.ts b/src/middleware.ts
index 74f5aed..42fef0f 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -5,11 +5,15 @@ export function middleware(request: NextRequest) {
   const response = NextResponse.next();
   const { pathname } = request.nextUrl;
 
-  const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
+  if (pathname.startsWith("/admin")) {
+    return response;
+  }
+
+  const isHttps = request.nextUrl.protocol === "https:";
 
   const cspDirectives = [
     "default-src 'self'",
-    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`,
+    `script-src 'self' 'unsafe-inline' 'unsafe-eval'`,
     `style-src 'self' 'unsafe-inline'`,
     "img-src 'self' data: blob:",
     "font-src 'self'",
@@ -17,18 +21,13 @@ export function middleware(request: NextRequest) {
     "frame-ancestors 'none'",
     "base-uri 'self'",
     "form-action 'self'",
-    "upgrade-insecure-requests",
+    ...(isHttps ? ["upgrade-insecure-requests"] : []),
   ];
 
-  if (pathname.startsWith("/admin")) {
-    return response;
-  }
-
   response.headers.set(
     "Content-Security-Policy",
     cspDirectives.join("; ")
   );
-  response.headers.set("X-Nonce", nonce);
 
   return response;
 }
-- 
cgit v1.2.3