Hey! I'm using the package in a repo that uses getServerSideProps. Following the strict CSP configuration, every getServerSideProps is wrapped with gsspWithNonce, and it works fine, setting the correct Content-Security-Policy header.
However, if reportOnly is set to true, it ends up setting an empty Content-Security-Policy-Report-Only header.
After some debugging, I've found out that although the headers are correctly set in the middleware, they get overridden with an empty value on the document getIinitialProps because getCspInitialProps uses a getter that contains a bug:
Notice that the directives returned from the report-only block should use the report-only header, i.e.:
Hey! I'm using the package in a repo that uses
getServerSideProps. Following the strict CSP configuration, every getServerSideProps is wrapped with gsspWithNonce, and it works fine, setting the correct Content-Security-Policy header.However, if
reportOnlyis set to true, it ends up setting an empty Content-Security-Policy-Report-Only header. After some debugging, I've found out that although the headers are correctly set in the middleware, they get overridden with an empty value on the documentgetIinitialPropsbecause getCspInitialProps uses a getter that contains a bug:Notice that the directives returned from the report-only block should use the report-only header, i.e.: