Content Security Policy nonce support doesn't support content-security-policy-report-only
#48966
Closed
1 task done
Comments
github-actions
bot
added
area: app
Runtime
|
Also missed this feature. I see there's an outstanding PR, any way to move it? |
ztanner
added a commit
that referenced
this issue
Dec 1, 2023
…eader (#59071) **Note**: this is a 1-to-1 copy of #48969 by @danieltott with all the merge conflicts fixed. ## Checklist * Fixes #48966 * Tests added to `test/production/app-dir/subresource-integrity/subresource-integrity.test.ts` ## Description Currently `renderToHTMLOrFlight` in app-render pulls out a nonce value from a `content-security-policy` header for use in generating script tags: https://github.com/vercel/next.js/blob/e7c9d3c051e6027cf187e0d70565417d6037e37c/packages/next/src/server/app-render/app-render.tsx#L1204 That misses the ability to use a [content-security-policy-report-only header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only). Many times this is a required step to enabling a CSP - by shipping a CSP with report-only and collecting reports before actually blocking resources. ## Changes * Added ability to check `content-security-policy-report-only` header in `renderToHTMLOrFlight()` * Added test to verify `nonce` is correctly applied when `content-security-policy-report-only` header exists Co-authored-by: Dan Ott <[email protected]> Co-authored-by: Zack Tanner <[email protected]>
|
This closed issue has been automatically locked because it had no new activity for 2 weeks. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Verify canary release
Provide environment information
Operating System: Platform: darwin Arch: x64 Version: Darwin Kernel Version 22.4.0: Mon Mar 6 21:00:41 PST 2023; root:xnu-8796.101.5~3/RELEASE_ARM64_T8103 Binaries: Node: 16.19.1 npm: 8.19.3 Yarn: 1.22.19 pnpm: 7.23.0 Relevant packages: next: 13.3.2-canary.12 eslint-config-next: 13.3.2-canary.12 react: 18.2.0 react-dom: 18.2.0Which area(s) of Next.js are affected? (leave empty if unsure)
App directory (appDir: true), Middleware / Edge (API routes, runtime)
Link to the code that reproduces this issue
https://github.com/Sprokets/nextjs-csp-report-only
To Reproduce
Go to https://nextjs-csp-report-only.vercel.app/csp, view the page source, and see that
nonceis applied to (some) scripts.Then go to https://nextjs-csp-report-only.vercel.app/csp-report-only, view the page source, and see that there are no scripts with
nonceattribute.Note: There is an existing issue #43743 where
nonceattributes aren't being properly included. This issue is not related to that. However, because of that issue, browsers will be blocking most of the runtime js on the page with thecontent-security-policyapplied. This can be ignored for the purposes of this issue.Describe the Bug
Currently,
renderToHTMLOrFlightinapp-renderpulls out a nonce value from acontent-security-policyheader for use in generating script tags:next.js/packages/next/src/server/app-render/app-render.tsx
Line 1204 in e7c9d3c
This is missing the ability to use a
content-security-policy-report-onlyheader. Many times this is a required step to enabling a CSP - by shipping a CSP with report-only and collecting reports before actually blocking resources.Expected Behavior
NextJS renders a site implementing a
content-security-policy-report-onlyin the same way it does for sites using acontent-security-policyheader (ie reads and applies the nonce value).Which browser are you using? (if relevant)
No response
How are you deploying your application? (if relevant)
All platforms
The text was updated successfully, but these errors were encountered: