Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: configuration of CSP report directives (report-uri, report-to) is unsound #41

Open
1 task done
nibtime opened this issue Feb 28, 2022 · 3 comments
Open
1 task done

[BUG]: configuration of CSP report directives (report-uri, report-to) is unsound #41

nibtime opened this issue Feb 28, 2022 · 3 comments
Assignees
@UncleClapton
Labels
type: bug Something isn't working

Comments

@nibtime
Copy link

nibtime commented Feb 28, 2022

Describe the bug

const nextSafe = require('next-safe');

const isDev = process.env.NODE_ENV !== 'production';

module.exports = {
  async headers() {
    return [
      {
        source: '/:path*',
        headers: nextSafe({
          isDev,
          contentSecurityPolicy: {
            'frame-ancestors': 'https://stackblitz.com',
            // next-safe ensures that both directives have always the same value.
            // It prefers report-to over report-uri if both are set.
            // this doesn't make sense, for report-uri, a URL is expected.
            // For report-to it is a group name of a Reporting API configuration.
            // It requires a Report-To header for configuration
            // see https://developers.google.com/web/updates/2018/09/reportingapi
            'report-uri': 'https://example.com/csp-report-uri',
            'report-to': 'default',
          },
        }),
      },
    ];
  },
};

Steps To Reproduce

https://stackblitz.com/edit/nextjs-d6qbyi?file=next.config.js

Version

v3.x.x

Relevant log output

base-uri 'none';child-src 'none';connect-src 'self' webpack://*;default-src 'self';font-src 'self';form-action 'self';frame-ancestors https://stackblitz.com;frame-src 'none';img-src 'self';manifest-src 'self';media-src 'self';object-src 'none';prefetch-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';worker-src 'self';report-uri default;report-to default;

Code of Conduct

  • I agree to follow this project's Code of Conduct
@nibtime nibtime added needs: triage Waiting for a contributor to triage type: bug Something isn't working labels Feb 28, 2022
@ghost
Copy link

ghost commented Dec 30, 2022

Hi @trezy,
are there any updates on this?

@sambauers
Copy link
Contributor

Should we simply allow configuration of these directives separately to each other? Are there cases where they could be or should be the same?

@UncleClapton UncleClapton mentioned this issue Mar 12, 2023
Closed
@UncleClapton UncleClapton removed the needs: triage Waiting for a contributor to triage label Mar 12, 2023
@UncleClapton UncleClapton assigned UncleClapton and unassigned trezy Mar 12, 2023
@UncleClapton
Copy link
Collaborator

UncleClapton commented Mar 16, 2023
edited
Loading

Just an update here, I've come up with a pretty decent plan of attack to address this, and I'm looking to ship a solution with 4.0.0.

First things first, We're definitely going to de-couple these values, but that leaves users to manage Reporting-Endpoints on their own.

I'd like to add support for generating that header, and I'm looking into the possibility of simplifying configuration so a user only has to provide a single value. next-safe would just automatically handle the rest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@UncleClapton UncleClapton

Labels
type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@trezy @sambauers @UncleClapton @nibtime