search

nibtime / next-safe-middleware

Strict CSP (Content-Security-Policy) for Next.js hybrid apps https://web.dev/strict-csp/
https://next-safe-middleware.vercel.app
MIT License
79 stars 20 forks source link

strict-dynamic not working on Next 12.2 #37

Closed DuCanhGH closed 2 years ago

DuCanhGH commented 2 years ago

So I just upgraded my dependencies and that includes updating Next to 12.2 and next-safe/middleware to 0.7.0. I also moved to the new middleware csp and getCspInitialProps and moved pages/_middleware.ts to root folder and renamed it to middleware.ts. I thought it'd work, however, what I got was

[strictDynamic]: Internal error. No hashes or nonce have been added to CSP. Switch to report-only mode to not break the app and to let you know about this. { errorCsp:
   { 'default-src': [ 'self', 'blob:', 'https://pokeapi.co' ],
     'object-src': [ 'none' ],
     'base-uri': [ 'none' ],
     'img-src': [ 'self', 'https://pokeapi.co' ],
     'connect-src': [ 'self', 'https://pokeapi.co' ],
     'style-src': [ 'self', 'unsafe-inline' ],
     'script-src': [ 'strict-dynamic', 'https:', 'unsafe-inline' ] },
  err:
   [Error: The request.page has been deprecated in favour of `URLPattern`.
     Read more: https://nextjs.org/docs/messages/middleware-request-page
     ] }

It turns out that req.page has been deprecated, but this middleware is still using it in middleware/strictDynamic.ts, or precisely, middleware/utils.ts/fetchHashes. For script-src, I got 'strict-dynamic' https: 'unsafe-inline', so it would have broken my whole app had it not been set to report-only :( I hope this will be fixed soon, thanks :D Source: https://github.com/DuCanhGH/react-18-nextjs/blob/fc713ac116b9aa8cfdc9649ea03a2ff6eace42bb/middleware.ts Page: https://react-18-nextjs.vercel.app/

nibtime commented 2 years ago

Hi @DuCanhGH

thanks a lot for reporting this quickly. I will create a fix today for this and release a 0.7.1. I knew that something would break there eventually, with all the changes to middleware :D.

But it's stable since 12.2, so I think breaking changes like this won't happen anymore

DuCanhGH commented 2 years ago

@nibtime nice, thanks for the quick response :D

nibtime commented 2 years ago

Hi @DuCanhGH @philhack

thought this was a 15min fix, turned out to be 15h 😁. It turns out that middleware now runs on any requests, so I had to provide some additional abstractions and do an internal redesign without req.page.name (there seems no new equivalent).

I just released 0.8.0 with updated README to NPM

Cheers, and thank for reporting this bug!

DuCanhGH commented 2 years ago

@nibtime nice! Gotta test it tomorrow :D

nibtime commented 2 years ago

@all-contributors add @DuCanhGH for bug

allcontributors[bot] commented 2 years ago

@nibtime

I've put up a pull request to add @DuCanhGH! :tada: