search

shuding / nextra

Simple, powerful and flexible site generation framework with everything you love from Next.js.
https://nextra.site
MIT License
11.71k stars 1.27k forks source link

Compatibility with Next.js CSP #3090

Open zi0Black opened 2 months ago

zi0Black commented 2 months ago

Hi, I'm wondering if this plug-in is compatible with Next.js CSP. I didn’t find anything in the documentation, and trying it out appears to inject some inline JS code without including the nonce value.

Thanks.

dimaMachina commented 15 hours ago

Hi, can you send an example of your problem? Can’t understand what you mean by appears to inject some inline JS code without including the nonce value.

zi0Black commented 5 hours ago

To have a strict CSP, you have to either use the hash of your internal or external scripts or use a nonce value (https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce). Next.js opts for the nonce value, which requires middleware so that for each request, the nonce is freshly generated and included in both the headers and the various JavaScript tags on the page. Next.js doesn't allow statically generating a website with support for CSP with strict JS code because they do not support hash generation during build time.

I can't share the code because it comes from a private repository, but to reproduce the issue, it should be sufficient to create a Next.js site with middleware that configures the CSP using the nonce, and then use Nextra to create something, e.g., the doc page, and notice how it doesn't work. IIRC, this issue is linked with routing and app vs pages. I'm sorry bur right now I can't go back and reproduce everything ☹️

dimaMachina commented 3 hours ago

this issue is linked with routing and app vs pages.

Do you mean the issue comes from pages router? Would you want to try Nextra 4 with app router support and see if it was fixed?

zi0Black commented 2 hours ago

Do you mean the issue comes from pages router?

IIRC The middleware works only with App Route (the only reference I found with a quick search https://github.com/vercel/next.js/issues/67042).

Would you want to try Nextra 4 with app router support and see if it was fixed?

I can create an app to try this out when I have some spare time.

dimaMachina commented 2 hours ago

IIRC The middleware works only with App Route (the only reference I found with a quick search https://github.com/vercel/next.js/issues/67042).

thanks for the information, so it will definitely works with Nextra 4 since support of pages router is removed

Will add this issue as completed to Nextra 4 roadmap