feat: implement domain isolation system with middleware and loader scripts for enhanced security

apps/web/middleware.js

@@ -0,0 +1,49 @@
+import { NextResponse } from 'next/server';
+
+// This middleware runs on every request
+export function middleware(request) {
+  // Get the current hostname from the request headers
+  const currentHostname = request.headers.get('host');
+
+  // Get the referrer URL if it exists
+  const referer = request.headers.get('referer');
+
+  // If there is a referrer, check if it's from a different domain
+  if (referer) {
+    try {
+      const refererUrl = new URL(referer);
+      const refererHostname = refererUrl.hostname;
+
+      // If the referrer hostname doesn't match the current hostname
+      if (refererHostname !== currentHostname) {
+        console.log(`Cross-domain request detected: ${refererHostname} -> ${currentHostname}`);
+        
+        // For path segments that might include another domain
+        const url = request.nextUrl.clone();
+        const path = url.pathname;
+        
+        // Check if the path includes another domain name (simple check for static files)
+        if (path.includes('/next/static/') || path.includes('/api/')) {
+          // Ensure all paths use the current hostname
+          // This prevents asset URL problems when different hostnames appear in the path
+          const localPath = path.replace(/https?:\/\/[^\/]+/, '');
+          url.pathname = localPath;
+          return NextResponse.rewrite(url);
+        }
+      }
+    } catch (e) {
+      console.error('Error processing referer in middleware:', e);
+    }
+  }
+
+  // Continue with the request as normal
+  return NextResponse.next();
+}
+
+// Configure which paths this middleware will run on
+export const config = {
+  matcher: [
+    // Apply to all paths
+    '/:path*',
+  ],
+};

apps/web/pages/_document.js

@@ -4,10 +4,12 @@ export default function Document() {
   return (
     <Html lang="en">
       <Head>
-        {/* Load runtime configuration before any app code */}
-        <script src="/runtime-config.js" />
-        {/* Load API interceptor to enforce correct domain */}
-        <script src="/api-interceptor.js" />
+        {/* Load domain isolation loader first - immediate protection */}
+        <script src="/domain-isolation-loader.js" strategy="beforeInteractive" />
+        {/* Load runtime configuration */}
+        <script src="/runtime-config.js" strategy="beforeInteractive" />
+        {/* Load comprehensive API interceptor */}
+        <script src="/api-interceptor.js" strategy="beforeInteractive" />
       </Head>
       <body>
         <Main />

apps/web/public/domain-isolation-loader.js

@@ -0,0 +1,82 @@
+// Domain Isolation Loader
+// This script loads before any other scripts to ensure all requests stay within the current domain
+
+(function() {
+  console.log('[Domain Isolation] Initializing early domain isolation...');
+  
+  // Override createElement to patch script elements before they load
+  const originalCreateElement = document.createElement.bind(document);
+  document.createElement = function(tagName) {
+    const element = originalCreateElement(tagName);
+    
+    if (tagName.toLowerCase() === 'script') {
+      const originalSetAttribute = element.setAttribute.bind(element);
+      element.setAttribute = function(name, value) {
+        if (name === 'src' && typeof value === 'string') {
+          try {
+            const currentDomain = window.location.hostname;
+            const urlObj = new URL(value, window.location.origin);
+            const targetDomain = urlObj.hostname;
+            
+            if (targetDomain !== currentDomain) {
+              console.warn('[Domain Isolation] Pre-load intercepted cross-domain script:', value);
+              value = value.replace(/https?:\/\/[^\/]+/, window.location.origin);
+              console.log('[Domain Isolation] Changed to:', value);
+            }
+          } catch (e) {
+            console.error('[Domain Isolation] Error processing script URL:', e);
+          }
+        }
+        return originalSetAttribute(name, value);
+      };
+    }
+    
+    return element;
+  };
+  
+  // Store original URL manipulation methods
+  window.__domainIsolationOriginals = {
+    fetch: window.fetch,
+    open: XMLHttpRequest.prototype.open
+  };
+  
+  // Simple early fetch override
+  window.fetch = function(url, options) {
+    if (typeof url === 'string') {
+      try {
+        const currentDomain = window.location.hostname;
+        const urlObj = new URL(url, window.location.origin);
+        const targetDomain = urlObj.hostname;
+        
+        if (targetDomain !== currentDomain) {
+          console.warn('[Domain Isolation] Early loader redirecting fetch:', url);
+          url = url.replace(/https?:\/\/[^\/]+/, window.location.origin);
+        }
+      } catch (e) {
+        console.error('[Domain Isolation] Early loader error:', e);
+      }
+    }
+    return window.__domainIsolationOriginals.fetch.apply(this, arguments);
+  };
+  
+  // Simple early XHR override
+  XMLHttpRequest.prototype.open = function(method, url, ...args) {
+    if (typeof url === 'string') {
+      try {
+        const currentDomain = window.location.hostname;
+        const urlObj = new URL(url, window.location.origin);
+        const targetDomain = urlObj.hostname;
+        
+        if (targetDomain !== currentDomain) {
+          console.warn('[Domain Isolation] Early loader redirecting XHR:', url);
+          url = url.replace(/https?:\/\/[^\/]+/, window.location.origin);
+        }
+      } catch (e) {
+        console.error('[Domain Isolation] Early loader error:', e);
+      }
+    }
+    return window.__domainIsolationOriginals.open.apply(this, [method, url, ...args]);
+  };
+  
+  console.log('[Domain Isolation] Early domain isolation initialized');
+})();