ready - started server on 0.0.0.0:3000, url: http://localhost:3000
TypeError [ERR_INVALID_URL]: Invalid URL
at new NodeError (node:internal/errors:363:5)
at onParseError (node:internal/url:536:9)
at new URL (node:internal/url:612:5)
at encodeStrictURI (/home/my/ui-auth/node_modules/next-secure-headers/lib/rules/shared/uri-encoder.js:4:34)
at Array.map (<anonymous>)
at convertReportingDirectiveToString (/home/my/***/node_modules/next-secure-headers/lib/rules/content-security-policy.js:109:62)
at createContentSecurityPolicyOptionHeaderValue (/home/my/***/node_modules/next-secure-headers/lib/rules/content-security-policy.js:127:9)
at Object.createContentSecurityPolicyHeader (/home/my/***/node_modules/next-secure-headers/lib/rules/content-security-policy.js:139:19)
at Object.createHeadersObject (/home/my/***/node_modules/next-secure-headers/lib/index.js:18:23)
at createSecureHeaders (/home/my/***/node_modules/next-secure-headers/lib/index.js:37:35) {
input: '/api/csp_violation',
code: 'ERR_INVALID_URL'
}
š© Bug Report
A summary of the bug
next-secure-headers
crashes if you try to use a relative URL inreportURI
.Here you can see what
next-secure-headers
is using URL for that directive: https://github.com/jagaapple/next-secure-headers/blob/master/src/rules/content-security-policy.ts#L197 https://github.com/jagaapple/next-secure-headers/blob/master/src/rules/shared/uri-encoder.ts And it is a bad idea.Current behavior
Currently it crashes the server on its start:
To Reproduce
Create following
next.config.mjs
And run
yarn run dev
.Expected behavior
No crash.
Helmet allows relative
report-uri
in CSP (e.g/api/csp_violation
).Also, specification allows such URIs: https://w3c.github.io/webappsec-csp/#directive-report-uri https://datatracker.ietf.org/doc/html/rfc3986#section-4.1
Environment
v2.2.0
v16.3.0
Ubuntu 16.04