From ae8b8012e64338378a68840a4b1e2e9ec760cecc Mon Sep 17 00:00:00 2001
From: Magnus Gule <mg@variant.no>
Date: Mon, 25 Sep 2023 22:54:05 +0200
Subject: [PATCH] Removed unusable nonce because of current bug
 vercel/next.js/issues/55638. Tested on prod and dev

---
 frontend/src/middleware.ts | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/frontend/src/middleware.ts b/frontend/src/middleware.ts
index 46c96b08..1187f609 100644
--- a/frontend/src/middleware.ts
+++ b/frontend/src/middleware.ts
@@ -1,18 +1,23 @@
 import { NextRequest, NextResponse } from 'next/server'
 
+// nonce CSP is currently disabled because of bug:
+// https://github.com/vercel/next.js/issues/55638
+
 export function middleware(request: NextRequest) {
-  const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
   const cspHeader = `
       default-src 'self';
-      script-src 'self' 'nonce-${nonce}';
+      script-src 'self' 'unsafe-inline' http://localhost https: ${process.env.NODE_ENV === 'production' ? '' : `'unsafe-eval'`};
       style-src 'self' 'unsafe-inline';
       font-src 'self' anima-uploads.s3.amazonaws.com fonts.gstatic.com;
       connect-src 'self' https://login.microsoftonline.com;
   `
   const requestHeaders = new Headers(request.headers)
-  requestHeaders.set('x-nonce', nonce)
+
+  // requestHeaders.set('x-nonce', nonce)
   requestHeaders.set(
-    'Content-Security-Policy',
+    // 'Content-Security-Policy',
+    'Content-Security-Policy-Report-Only', // This is used for now to not break
+
     // Replace newline characters and spaces
     cspHeader.replace(/\s{2,}/g, ' ').trim()
   )