()
| 175 | '@sim/workflow-renderer', |
| 176 | ], |
| 177 | async headers() { |
| 178 | return [ |
| 179 | { |
| 180 | source: '/:all*(svg|jpg|jpeg|png|gif|ico|webp|avif|woff|woff2|ttf|eot)', |
| 181 | headers: [ |
| 182 | { |
| 183 | key: 'Cache-Control', |
| 184 | value: 'public, max-age=86400, stale-while-revalidate=604800', |
| 185 | }, |
| 186 | ], |
| 187 | }, |
| 188 | { |
| 189 | source: '/.well-known/:path*', |
| 190 | headers: [ |
| 191 | { key: 'Access-Control-Allow-Origin', value: '*' }, |
| 192 | { key: 'Access-Control-Allow-Methods', value: 'GET, OPTIONS' }, |
| 193 | { key: 'Access-Control-Allow-Headers', value: 'Content-Type, Accept' }, |
| 194 | ], |
| 195 | }, |
| 196 | // /api/* CORS is set at runtime in proxy.ts (resolveApiCorsPolicy). |
| 197 | { |
| 198 | source: '/api/workflows/:id/execute', |
| 199 | headers: [ |
| 200 | { key: 'Cross-Origin-Embedder-Policy', value: 'unsafe-none' }, |
| 201 | { key: 'Cross-Origin-Opener-Policy', value: 'unsafe-none' }, |
| 202 | { |
| 203 | key: 'Content-Security-Policy', |
| 204 | value: getWorkflowExecutionCSPPolicy(), |
| 205 | }, |
| 206 | ], |
| 207 | }, |
| 208 | { |
| 209 | // Exclude Vercel internal resources and static assets from strict COEP, Google Drive Picker |
| 210 | // and the /demo Cal.com booking embed to prevent 'refused to connect' / slow-load issues |
| 211 | source: '/((?!_next|_vercel|api|favicon.ico|w/.*|workspace/.*|api/tools/drive|demo).*)', |
| 212 | headers: [ |
| 213 | { |
| 214 | key: 'Cross-Origin-Embedder-Policy', |
| 215 | value: 'credentialless', |
| 216 | }, |
| 217 | { |
| 218 | key: 'Cross-Origin-Opener-Policy', |
| 219 | value: 'same-origin', |
| 220 | }, |
| 221 | ], |
| 222 | }, |
| 223 | { |
| 224 | // For main app routes, Google Drive Picker, the /demo Cal.com embed, and Vercel resources - use permissive policies |
| 225 | source: '/(w/.*|workspace/.*|api/tools/drive|demo.*|_next/.*|_vercel/.*)', |
| 226 | headers: [ |
| 227 | { |
| 228 | key: 'Cross-Origin-Embedder-Policy', |
| 229 | value: 'unsafe-none', |
| 230 | }, |
| 231 | { |
| 232 | key: 'Cross-Origin-Opener-Policy', |
| 233 | value: 'same-origin-allow-popups', |
| 234 | }, |
nothing calls this directly
no test coverage detected