Open zi0Black opened 2 months ago
Hi, can you send an example of your problem? Can’t understand what you mean by appears to inject some inline JS code without including the nonce value.
To have a strict CSP, you have to either use the hash of your internal or external scripts or use a nonce value (https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce). Next.js opts for the nonce value, which requires middleware so that for each request, the nonce is freshly generated and included in both the headers and the various JavaScript tags on the page. Next.js doesn't allow statically generating a website with support for CSP with strict JS code because they do not support hash generation during build time.
I can't share the code because it comes from a private repository, but to reproduce the issue, it should be sufficient to create a Next.js site with middleware that configures the CSP using the nonce, and then use Nextra to create something, e.g., the doc page, and notice how it doesn't work. IIRC, this issue is linked with routing and app vs pages. I'm sorry bur right now I can't go back and reproduce everything ☹️
this issue is linked with routing and app vs pages.
Do you mean the issue comes from pages
router? Would you want to try Nextra 4 with app router support and see if it was fixed?
Do you mean the issue comes from
pages
router?
IIRC The middleware works only with App Route (the only reference I found with a quick search https://github.com/vercel/next.js/issues/67042).
Would you want to try Nextra 4 with app router support and see if it was fixed?
I can create an app to try this out when I have some spare time.
IIRC The middleware works only with App Route (the only reference I found with a quick search https://github.com/vercel/next.js/issues/67042).
thanks for the information, so it will definitely works with Nextra 4 since support of pages router is removed
Will add this issue as completed to Nextra 4 roadmap
Hi, I'm wondering if this plug-in is compatible with Next.js CSP. I didn’t find anything in the documentation, and trying it out appears to inject some inline JS code without including the nonce value.
Thanks.