You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://github.com/vercel/next.js/tree/canary/examples/with-strict-csp
This is confusing, as this is not strict as it is supposed to be. If you add the 'strict-dynamic' directive to this configuration, the 'self' will be ignored by CSP3 supporting browsers and then all Next.js framework scripts will be prevented from loading as they are not trusted.
Is your feature request related to a problem? Please describe.
The ideas communicated here are related to #12 and #5
Describe the solution you'd like
I am pretty much done with this and came to a solution I like.
Published to NPM package: https://www.npmjs.com/package/@next-safe/middleware
Try the package in StackBlitz: https://github.com/nibtime/demo-next-safe-middleware
Preliminary OSS project (hopefully to be unified with
next-safe
): https://github.com/nibtime/next-safe-middlewareDescribe alternatives you've considered
https://github.com/vercel/next.js/tree/canary/examples/with-strict-csp
This is confusing, as this is not strict as it is supposed to be. If you add the 'strict-dynamic' directive to this configuration, the 'self' will be ignored by CSP3 supporting browsers and then all Next.js framework scripts will be prevented from loading as they are not trusted.
guydumais/next-strict-csp#5 (comment)
Additional context
https://web.dev/strict-csp/
https://owasp.org/www-pdf-archive/2017-04-20-OWASPNZ-SpagnuoloWeichselbaum.pdf
https://csp.withgoogle.com/docs/strict-csp.html
https://content-security-policy.com/strict-dynamic/
CSP Evaluator Chrome Extension: https://chrome.google.com/webstore/detail/csp-evaluator/fjohamlofnakbnbfjkohkbdigoodcejf
Code of Conduct
The text was updated successfully, but these errors were encountered: