Support adding CSP nonce with content-security-policy-report-only header
#48969
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
danieltott
requested review from
timneutkens,
ijjk,
shuding,
huozhi and
feedthejim
as code owners
danieltott
force-pushed
the
danieltott-csp-report-only
branch
from
62116ba to
6d3f587
Compare
|
@timneutkens @ijjk @shuding @leerob could either one of you take a look at this PR? It blocks us from launching CSP on our website. Also created an updated #59071 which fixes the merge conflicts in this PR |
ztanner
added a commit
that referenced
this pull request
Dec 1, 2023
…eader (#59071) **Note**: this is a 1-to-1 copy of #48969 by @danieltott with all the merge conflicts fixed. ## Checklist * Fixes #48966 * Tests added to `test/production/app-dir/subresource-integrity/subresource-integrity.test.ts` ## Description Currently `renderToHTMLOrFlight` in app-render pulls out a nonce value from a `content-security-policy` header for use in generating script tags: https://github.com/vercel/next.js/blob/e7c9d3c051e6027cf187e0d70565417d6037e37c/packages/next/src/server/app-render/app-render.tsx#L1204 That misses the ability to use a [content-security-policy-report-only header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only). Many times this is a required step to enabling a CSP - by shipping a CSP with report-only and collecting reports before actually blocking resources. ## Changes * Added ability to check `content-security-policy-report-only` header in `renderToHTMLOrFlight()` * Added test to verify `nonce` is correctly applied when `content-security-policy-report-only` header exists Co-authored-by: Dan Ott <[email protected]> Co-authored-by: Zack Tanner <[email protected]>
|
Closed in favor of #59071 -- applied you as a co-author on the PR, thank you! |
|
Thanks @ztanner 🙌 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist:
content-security-policy-report-only#48966test/e2e/app-dir/app/index.test.tsDescription:
Currently,
renderToHTMLOrFlightinapp-renderpulls out a nonce value from acontent-security-policyheader for use in generating script tags:next.js/packages/next/src/server/app-render/app-render.tsx
Line 1204 in e7c9d3c
This is missing the ability to use a
content-security-policy-report-onlyheader. Many times this is a required step to enabling a CSP - by shipping a CSP with report-only and collecting reports before actually blocking resources.Changes:
content-security-policy-report-onlyheader inrenderToHTMLOrFlight()nonceis correctly applied whencontent-security-policy-report-onlyheader exists