From a3e557d022553465e392f904bf89f2704e70315a Mon Sep 17 00:00:00 2001
From: Felipe Cardoso <felipe.cardoso@shootify.io>
Date: Fri, 26 Dec 2025 19:00:18 +0100
Subject: [PATCH] Update E2E test for security headers to include `worker-src`
 validation

---
 frontend/next.config.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/frontend/next.config.ts b/frontend/next.config.ts
index a0b7bf6..87db554 100755
--- a/frontend/next.config.ts
+++ b/frontend/next.config.ts
@@ -45,15 +45,17 @@ const securityHeaders = [
     key: 'Content-Security-Policy',
     value: [
       "default-src 'self'",
-      "script-src 'self' 'unsafe-inline'", // Required for theme init script
+      "script-src 'self' 'unsafe-inline' 'unsafe-eval'", // unsafe-eval needed for MSW in dev
       "style-src 'self' 'unsafe-inline'", // Required for Tailwind and styled components
       "img-src 'self' blob: data: https:", // Allow images from HTTPS sources
       "font-src 'self'",
+      "connect-src 'self' http://localhost:* ws://localhost:*", // API + HMR websocket
+      "worker-src 'self' blob:", // Required for MSW service worker in demo mode
+      "child-src 'self' blob:", // For service worker registration
       "object-src 'none'",
       "base-uri 'self'",
       "form-action 'self'",
       "frame-ancestors 'none'",
-      'upgrade-insecure-requests',
     ].join('; '),
   },
 ];