💥 full switch to stable middleware (perf reasons) + ✨ docs website with Nextra

[nibtime]

That PR has gotten somewhat big and took ages, as I discovered lots of small changes in Next 12.2 that break things (edge runtime, ISR, Safari ...).

@Shamilik thank you very much for reporting the issue with Safari. The problem seems essentially the same as with Firefox as described in #5. Firefox isn't truly CSP-3 compliant and SRI validation gets messed up when used together with strict-dynamic (see https://bugzilla.mozilla.org/show_bug.cgi?id=1409200). Presumably, it's the same for Safari, at least for versions 15.4 and 15.5. Once I have confirmation of Safari and Firefox versions that are truly CSP-3 compliant I will update the strictDynamic middleware to support them for Hash-based.

So for now, I excluded Safari in this PR from Hash-based strict CSP. Apps won't break now, but unfortunately, also visitors won't be protected by strict CSP if the entry point is a static page. But they will be, if the entry point is a dynamic page - Nonce-based works and will be applied. For static pages, the fallbackSrc value of the strictDynamic middleware will be used (defaults to https: 'unsafe-inline'). I documented that also in the release notes of the upcoming 0.9.0 version.

Another option would be loading Next.js chunks/scripts with an inline proxy script. I already tried that out and that would work with Safari and Firefox as well. Unfortunately, that can break Next.js in a nondeterministic fashion on page reloads and navigation events and I couldn't find a way to resolve that so far.

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
docs-next-safe-middleware	✅ Ready (Inspect)	Visit Preview	Jul 24, 2022 at 2:31AM (UTC)
e2e-next-safe-middleware	✅ Ready (Inspect)	Visit Preview	Jul 24, 2022 at 2:31AM (UTC)

[changeset-bot[bot]]

🦋 Changeset detected

Latest commit: e8aea1d34d33c084093b3244b4fa5d70b049295b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

| Name | Type | | --------------------- | ----- | | @next-safe/middleware | Minor | | e2e | Minor | | docs | Minor |

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Shamilik]

Hello. Preview isn't working on Safari 15.5.

Received CSP:

Content-Security-Policy: default-src 'self';object-src 'none';base-uri 'none';img-src 'self' data: https://vercel.com https://img.shields.io https://*.githubusercontent.com https://gitpod.io;font-src 'self' https://rsms.me;style-src 'self' https://rsms.me 'sha256-Sr0R23aPEYkZEIraULoANv0+lJ6nm++YjMKNjJJgUXA=' 'sha256-lgodCpuy1TR56k3x67FV95N+KM+XG8BOqKMMa/XHk28=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-GHgVb5EEAUPhVeTfwEFuX9+WADcCrePlK6CwdXznIhY=' 'sha256-xd6kVmsB5qDY47QB4x7Ys+1t88OSTa40q/98d9NyF8Q=' 'sha256-8BNxsIsc6VHj8/elC63fqbrGsnTOvhNTf17uhaIdUI4=' 'sha256-d72pVhmRTNXT2Gr2OHFRLnVaHBfiBI5EvDCF6tA924Y=' 'sha256-wVdJrANUOK6FSKXAK/b1cyEUJMPQfQmGgKD56BosKsQ=' 'sha256-QuMjhq9r7jLn8e9zqxh8mfMbl0arL7LCu/hyoLaFBQc=' 'sha256-9HGruJg4WccHXas5I1NmLn7tI1TDh6N26o6+/dy8sm4=' 'sha256-WhdL3NGEYeeQu4IJi8MIwu7bKqNwzqfyf0ZxdTEe46s=' 'sha256-QvCvI4erjhH7DNwV83hMvuRvdfRtk16q9GHz5wlS0bs=' 'sha256-jKE6QZqne5OsrfemNvuLSNoud++NsCOiSlGuIsQns5o=' 'sha256-J/RYDozRaa3WUwPsZ82tQdcUhZyfAGMmyxZ1ILqy40k=' 'sha256-/cz+p719dOFygDAqDgEjHhHSRaka+kWXk3WHAOXiURk=' 'sha256-k1LZnPBgTDfZ8Oz4iDbO2KHJG4Kq7uqZ7tj4buN8+j4=' 'sha256-OpF46MbWec8lEJE9VZEkMMzTCPNuJOw+MYd0C2lV6eQ=' 'sha256-cXE5WSWHJNr6CysOfi+H1lA3XpTfgZFzu2+5D8P/j6M=' 'sha256-ioeco5QPBMU6V5vUrY+ASxoxaQnK7/gRpV0D5ZCKpK4=' 'unsafe-hashes' 'report-sample';script-src 'strict-dynamic' https: 'unsafe-inline' 'sha256-FRcCAqWeT9c2BDWISR4nAeoh5T3cbINwn0j4tzAs9PU=' 'sha256-2AH2VH1B+5jBCXgwJkVuj1TRGO0aUm9dcNatWrnyosU=' 'sha256-lBDbadDkyeD7bOL6E1HDHFZXy+jFNq5d5QL2yspKv/A=' 'sha256-9KBZhMnIhr6i6Vtn/+m7sBLmWhnSfquC+BYUfYZs21E=' 'sha256-+n6qCniDL16DO3FYEyaFapnzcUr0xSMx30D68AgajH4=' 'sha256-AClCwzlXIejFvVduN+HneWJr65UFQ5kUOkgPapcZT2w=' 'sha256-by3fHBuyRxdqAMf7fSVCgE6zVnZIa/6qP5bmgf2pd9g=' 'sha256-l6DHoC1Ab+rmjDBGLFym9joywrc+95/rgKGChtq9AcE=' 'sha256-FCZEmVkjYzI1TqZIyDWAwXAH3kbZnFdlIejPw8aqSbk=' 'sha256-6OOA1hrdgdwg6KGy93+51o0591+S8gPkMcSh0mfrnRc=' 'sha256-3Tbstl/7NhKqVtTQ8qik7oOw8djYptFHzQZjgEcFI/8=' 'sha256-R5PHcVi5p/1cmbT7VOzRSRwi9bwDn60L3kQ7v41eXnM=' 'sha256-a5Q14E9Z/8Rc/lZYyEjEbIN1uUR9bs+hGCGl+iuFC0o=' 'sha256-0PsJr+/QmZoW1v5o0JdOePeFfi1HUspiKkFAucTNWNM=' 'sha256-gsOvp62vNJoRqsvQWJs67x3+lvazIWWDBNgg6ybMRmg=' 'sha256-kEM9zyBXuBR3jn6hhfNopeBCB4H3SCiZMFYK1THK6Nc=' 'sha256-Mm1eOSIv97qBO9IsiSracSPKT4mcIjBOepVpnr6GxXY=' 'sha256-foBhF47FLjBw9yVL8WE2GQtf7M2av4UqyUSVXsMw94Q=' 'sha256-B5Nj5tsbu/Mz0wqhtzuQ9wSbxr1hzxe23gr5v+6Yy6Q=' 'sha256-/mgaywVXJ1yHET9ftr9ak3qzzHBVG9IfuG0llKYbKJE=' 'sha256-kxviE/tyzwqZqaavwhRUYmXttKyTtPz0wpp4Pp/tfUY=' 'sha256-nXzjemf1oMXVn/mFfKiTPCCp8xPTf/EehdjiyD1Vag0=' 'sha256-2J4eFP5LdsUNsymmd+5AMuJ56gwkZ1DtwRbeJT9Qtp4=' 'sha256-VbFiIqooxXDId2fGnqVP5Tvmx+1mUVChJfS95XOfe1I=' 'sha256-ROdpclxijlXXVBWqulEKgL8WHbSrEtJpJ4/Ah1Vk400=' 'sha256-zEkrGm56GbCqXjLxIM90BBjkU8SOsC32PWVQfGOovZ0=' 'sha256-mGP5vHbto9iZfd/ytJdBtFZ0KMePO5x1snKLxDOip7s=' 'sha256-o5xkS8gmT76hLNAHYl2Invs2VKT5kWot+ILoRYbDmsM=' 'sha256-2rNZhgVKOKupmxSfMhy8NXjyiFu5JwZX8ijD2lfA+Uw=' 'sha256-/mw7+IBTDgIBr7RcI2lZxV77k0HVCwt2bwSNvlqODqQ=' 'report-sample';report-uri /api/reporting;report-to default

[nibtime]

@all-contributors add @Shamilik for bug

[allcontributors[bot]]

@nibtime

I've put up a pull request to add @Shamilik! :tada: