From 698a94cc3e52cb3aa33cc25684edbca69471df0d Mon Sep 17 00:00:00 2001
From: CodingOnStar <hanxujiang@dify.ai>
Date: Mon, 20 Oct 2025 13:37:19 +0800
Subject: [PATCH] merge conflict

---
 web/app/components/base/ga/index.tsx | 16 ++++++++++++++--
 web/middleware.ts                    |  3 +--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/web/app/components/base/ga/index.tsx b/web/app/components/base/ga/index.tsx
index 759a91d18e..af13d569b6 100644
--- a/web/app/components/base/ga/index.tsx
+++ b/web/app/components/base/ga/index.tsx
@@ -18,14 +18,26 @@ export type IGAProps = {
   gaType: GaType
 }
 
+const extractNonceFromCSP = (cspHeader: string | null): string | undefined => {
+  if (!cspHeader)
+    return undefined
+  const nonceMatch = cspHeader.match(/'nonce-([^']+)'/)
+  return nonceMatch ? nonceMatch[1] : undefined
+}
+
 const GA: FC<IGAProps> = ({
   gaType,
 }) => {
   if (IS_CE_EDITION)
     return null
 
-  const nonceValue = process.env.NODE_ENV === 'production' ? (headers() as unknown as UnsafeUnwrappedHeaders).get('x-nonce') : null
-  const nonce = nonceValue || undefined
+  const cspHeader = process.env.NODE_ENV === 'production'
+    ? (headers() as unknown as UnsafeUnwrappedHeaders).get('content-security-policy')
+    : null
+  const nonce = extractNonceFromCSP(cspHeader)
+
+  if (typeof window === 'undefined')
+    console.log('[GA SSR] CSP header:', cspHeader ? 'exists' : 'MISSING', '| nonce:', nonce ? `extracted (${nonce.substring(0, 10)}...)` : 'NOT FOUND')
 
   return (
     <>
diff --git a/web/middleware.ts b/web/middleware.ts
index 8492878a7c..7dae6b7244 100644
--- a/web/middleware.ts
+++ b/web/middleware.ts
@@ -33,7 +33,7 @@ export function middleware(request: NextRequest) {
   const cspHeader = `
     default-src 'self' ${scheme_source} ${csp} ${whiteList};
     connect-src 'self' ${scheme_source} ${csp} ${whiteList};
-    script-src 'self' ${scheme_source} ${csp} ${whiteList};
+    script-src 'self' 'wasm-unsafe-eval' ${scheme_source} ${csp} ${whiteList};
     style-src 'self' 'unsafe-inline' ${scheme_source} ${whiteList};
     worker-src 'self' ${scheme_source} ${csp} ${whiteList};
     media-src 'self' ${scheme_source} ${csp} ${whiteList};
@@ -56,7 +56,6 @@ export function middleware(request: NextRequest) {
     contentSecurityPolicyHeaderValue,
   )
 
-  // response.headers.set('x-nonce', nonce)
   response.headers.set(
     'Content-Security-Policy',
     contentSecurityPolicyHeaderValue,