search

trezy / next-safe

https://trezy.gitbook.io/next-safe/
BSD 3-Clause "New" or "Revised" License
167 stars 20 forks source link

[BUG]: configuration of CSP report directives (report-uri, report-to) is unsound #41

Open nibtime opened 2 years ago

nibtime commented 2 years ago

Describe the bug

const nextSafe = require('next-safe');

const isDev = process.env.NODE_ENV !== 'production';

module.exports = {
  async headers() {
    return [
      {
        source: '/:path*',
        headers: nextSafe({
          isDev,
          contentSecurityPolicy: {
            'frame-ancestors': 'https://stackblitz.com',
            // next-safe ensures that both directives have always the same value.
            // It prefers report-to over report-uri if both are set.
            // this doesn't make sense, for report-uri, a URL is expected.
            // For report-to it is a group name of a Reporting API configuration.
            // It requires a Report-To header for configuration
            // see https://developers.google.com/web/updates/2018/09/reportingapi
            'report-uri': 'https://example.com/csp-report-uri',
            'report-to': 'default',
          },
        }),
      },
    ];
  },
};

Steps To Reproduce

https://stackblitz.com/edit/nextjs-d6qbyi?file=next.config.js

Version

v3.x.x

Relevant log output

base-uri 'none';child-src 'none';connect-src 'self' webpack://*;default-src 'self';font-src 'self';form-action 'self';frame-ancestors https://stackblitz.com;frame-src 'none';img-src 'self';manifest-src 'self';media-src 'self';object-src 'none';prefetch-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';worker-src 'self';report-uri default;report-to default;

Code of Conduct

ghost commented 1 year ago

Hi @trezy, are there any updates on this?

sambauers commented 1 year ago

Should we simply allow configuration of these directives separately to each other? Are there cases where they could be or should be the same?

UncleClapton commented 1 year ago

Just an update here, I've come up with a pretty decent plan of attack to address this, and I'm looking to ship a solution with 4.0.0.

First things first, We're definitely going to de-couple these values, but that leaves users to manage Reporting-Endpoints on their own.

I'd like to add support for generating that header, and I'm looking into the possibility of simplifying configuration so a user only has to provide a single value. next-safe would just automatically handle the rest.