From bd1b7bcf9500d7053120cb84720d134eaee0a8ae Mon Sep 17 00:00:00 2001
From: Sean Oliver <882952+seanoliver@users.noreply.github.com>
Date: Mon, 15 Sep 2025 14:02:47 -0700
Subject: [PATCH 1/2] fix: add PostHog external URL to CSP for feature flags
 support (#38717)

PostHog feature flags and other advanced features (toolbar, session replay)
require direct connections to *.posthog.com endpoints, even when using our
proxy server for main event ingestion. This adds the necessary CSP rules.
---
 apps/studio/csp.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/studio/csp.js b/apps/studio/csp.js
index 5c94f4093e19f..1f39cd02cd806 100644
--- a/apps/studio/csp.js
+++ b/apps/studio/csp.js
@@ -70,6 +70,8 @@ const SUPABASE_ASSETS_URL =
     ? 'https://frontend-assets.supabase.green'
     : 'https://frontend-assets.supabase.com'
 const POSTHOG_URL = isDevOrStaging ? 'https://ph.supabase.green' : 'https://ph.supabase.com'
+// Required for feature flags and other PostHog features
+const POSTHOG_EXTERNAL_URL = 'https://*.posthog.com'
 
 const USERCENTRICS_URLS = 'https://*.usercentrics.eu'
 const USERCENTRICS_APP_URL = 'https://app.usercentrics.eu'
@@ -102,6 +104,7 @@ module.exports.getCSP = function getCSP() {
     STAPE_URL,
     GOOGLE_MAPS_API_URL,
     POSTHOG_URL,
+    POSTHOG_EXTERNAL_URL,
     ...(!!NIMBUS_PROD_PROJECTS_URL ? [NIMBUS_PROD_PROJECTS_URL, NIMBUS_PROD_PROJECTS_URL_WS] : []),
   ]
   const SCRIPT_SRC_URLS = [
@@ -111,6 +114,7 @@ module.exports.getCSP = function getCSP() {
     SUPABASE_ASSETS_URL,
     STAPE_URL,
     POSTHOG_URL,
+    POSTHOG_EXTERNAL_URL,
   ]
   const FRAME_SRC_URLS = [HCAPTCHA_ASSET_URL, STRIPE_JS_URL, STAPE_URL]
   const IMG_SRC_URLS = [

From 99be74735fd97e31a1f1398b28c21cb1b7875678 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 15 Sep 2025 21:45:21 +0000
Subject: [PATCH 2/2] feat: update mgmt api docs (#38691)

Co-authored-by: phamhieu <689843+phamhieu@users.noreply.github.com>