Next 12 with 'strict-dynamic': Some ideas for an integration #36
Assignees
Labels
Comments
nibtime
added
needs: triage
This was referenced Jan 29, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
The ideas communicated here are related to #12 and #5
Describe the solution you'd like
I am pretty much done with this and came to a solution I like.
Published to NPM package: https://www.npmjs.com/package/@next-safe/middleware
Try the package in StackBlitz: https://github.com/nibtime/demo-next-safe-middleware
Preliminary OSS project (hopefully to be unified with
next-safe): https://github.com/nibtime/next-safe-middlewareDescribe alternatives you've considered
https://github.com/vercel/next.js/tree/canary/examples/with-strict-csp
This is confusing, as this is not strict as it is supposed to be. If you add the 'strict-dynamic' directive to this configuration, the 'self' will be ignored by CSP3 supporting browsers and then all Next.js framework scripts will be prevented from loading as they are not trusted.
guydumais/next-strict-csp#5 (comment)
Additional context
https://web.dev/strict-csp/
https://owasp.org/www-pdf-archive/2017-04-20-OWASPNZ-SpagnuoloWeichselbaum.pdf
https://csp.withgoogle.com/docs/strict-csp.html
https://content-security-policy.com/strict-dynamic/
CSP Evaluator Chrome Extension: https://chrome.google.com/webstore/detail/csp-evaluator/fjohamlofnakbnbfjkohkbdigoodcejf
Code of Conduct
The text was updated successfully, but these errors were encountered: