https://github.com/vercel/next.js/tree/canary/examples/with-strict-csp
This is confusing, as this is not strict as it is supposed to be. If you add the 'strict-dynamic' directive to this configuration, the 'self' will be ignored by CSP3 supporting browsers and then all Next.js framework scripts will be prevented from loading as they are not trusted.
Is your feature request related to a problem? Please describe.
The ideas communicated here are related to #12 and #5
Describe the solution you'd like
I am pretty much done with this and came to a solution I like.
Published to NPM package: https://www.npmjs.com/package/@next-safe/middleware
Try the package in StackBlitz: https://github.com/nibtime/demo-next-safe-middleware
Preliminary OSS project (hopefully to be unified with
next-safe): https://github.com/nibtime/next-safe-middlewareDescribe alternatives you've considered
https://github.com/vercel/next.js/tree/canary/examples/with-strict-csp This is confusing, as this is not strict as it is supposed to be. If you add the 'strict-dynamic' directive to this configuration, the 'self' will be ignored by CSP3 supporting browsers and then all Next.js framework scripts will be prevented from loading as they are not trusted.
https://github.com/guydumais/next-strict-csp/issues/5#issue-1114302180
Additional context
https://web.dev/strict-csp/ https://owasp.org/www-pdf-archive/2017-04-20-OWASPNZ-SpagnuoloWeichselbaum.pdf
https://csp.withgoogle.com/docs/strict-csp.html https://content-security-policy.com/strict-dynamic/
CSP Evaluator Chrome Extension: https://chrome.google.com/webstore/detail/csp-evaluator/fjohamlofnakbnbfjkohkbdigoodcejf
Code of Conduct