From 31485eec8f1d23488a65f2eb37daaeb78e81aa2f Mon Sep 17 00:00:00 2001
From: Felipe Coutinho <felipi@live.com>
Date: Sun, 5 Apr 2026 13:47:23 +0000
Subject: [PATCH] fix(csp): permitir upload de anexos para o storage externo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

connect-src bloqueava fetch para o Supabase Storage desde o commit
de segurança (10afef9). Adiciona a origin do S3_ENDPOINT na política.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md   | 6 ++++++
 next.config.ts | 2 +-
 package.json   | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 69b1b57..d1aff79 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,12 @@ e este projeto adere ao [Versionamento Semântico](https://semver.org/lang/pt-BR
 
 ## [Unreleased]
 
+## [2.3.4] - 2026-04-05
+
+### Corrigido
+
+- Anexos: corrigido upload que falhava com `NetworkError` — CSP `connect-src` bloqueava fetch para o Storage
+
 ## [2.3.3] - 2026-04-05
 
 ### Corrigido
diff --git a/next.config.ts b/next.config.ts
index f516cba..872995b 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -52,7 +52,7 @@ const nextConfig: NextConfig = {
 							"style-src 'self' 'unsafe-inline'",
 							"img-src 'self' https://lh3.googleusercontent.com data: blob:",
 							"font-src 'self'",
-							"connect-src 'self' https://umami.felipecoutinho.com",
+							`connect-src 'self' https://umami.felipecoutinho.com ${process.env.S3_ENDPOINT ? new URL(process.env.S3_ENDPOINT).origin : ""}`.trim(),
 							"frame-ancestors 'none'",
 						].join("; "),
 					},
diff --git a/package.json b/package.json
index b678c46..3ce65d2 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "openmonetis",
-	"version": "2.3.3",
+	"version": "2.3.4",
 	"private": true,
 	"packageManager": "pnpm@10.33.0",
 	"scripts": {