search

nibtime / next-safe-middleware

Strict CSP (Content-Security-Policy) for Next.js hybrid apps https://web.dev/strict-csp/
https://next-safe-middleware.vercel.app
MIT License
78 stars 20 forks source link

Routing & Nonce Required #77

Open fritterhoff opened 1 year ago

fritterhoff commented 1 year ago

I'm trying to use this library in a project where several (sub-)pages require a nonce for inline styles. In case of loading the subpages directly the nonce is returned correctly and loading the pages works fine. In case of loading a statically rendered page before the server rendered page loading and applying the inline styles fails due to the lack of the nonce in the CSP header.

Is there (maybe) an option to enforce includint the nonce in the initial request, even it is not used directly? Due to the next.js routing the subpages are not "loaded" the same way as navigating to them with the direct URL...

To sum up:

  1. Loading a static rendered page: header does not include a nonce
  2. Loading a server rendered page via router "button" no new header is returned: nonce is missing and inline style fails

grafik

fritterhoff commented 1 year ago

I've just build a mini showcase using MUI and the MUI datagrid: https://github.com/fritterhoff/csp-mui