-
Notifications
You must be signed in to change notification settings - Fork 27.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP nonce not being added to inline scripts #55638
Comments
This comment was marked as spam.
This comment was marked as spam.
This comment has been minimized.
This comment has been minimized.
@yelodevopsi Your issue here looks to be with using Next appears to needs One trick I use is to tell next only to include `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https: http: 'unsafe-inline' ${process.env.NODE_ENV === 'production' ? '' : `'unsafe-eval'`};` |
@sleepdotexe : Sorry, I forgot to mention that I explicitly test the ´with-strict-csp` example here on vercel/next.js. https://github.com/vercel/next.js/tree/canary/examples/with-strict-csp Replacing with I can confirm that only |
Added custom hooks Removed strict-dynamic, since nonce dont work as expected: vercel/next.js#55638
With the current canary/examples/with-strict-csp ...I can confirm that PS: I was previously missing |
…5638. Tested on prod and dev
Just pitching in, having the same issue with my project:
|
Just pitching in, having the same issue with my project:
Next.js 14.0.0 |
This comment has been minimized.
This comment has been minimized.
Same thing,
Also, it's not working even with |
I noticed that if I use the |
We now have docs and recommendations, including updated examples, for this: https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy#nonces |
This closed issue has been automatically locked because it had no new activity for 2 weeks. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
EDIT: See this comment below for an important update.
Verify canary release
Provide environment information
Which example does this report relate to?
with-strict-csp
What browser are you using? (if relevant)
Chrome 116.0.5845.188 (Official Build) (64-bit)
How are you deploying your application? (if relevant)
Vercel, Nodejs 18
Describe the Bug
According to the docs and example, the correct way to implement a strict CSP with nonces is by using middleware. However, even with a clean install of the example, the nonce is not being added to scripts correctly.
The
nonce
property is appearing on<script>
tags, however the value is always empty.A custom
next/script
tag also does not have the nonce value added.gives us:
If I try to show the nonce value on the page itself, it will display valid nonce value, so I don't think the error is with the middleware/nonce creation.
gives us:
Our CSP response header is also correctly showing the nonce:
default-src 'self'; script-src 'self' 'nonce-MzgyYzQ2OGQtMWRhYS00OWFjLTk5NWUtYzliOTM4YjI4NmMx' 'strict-dynamic' 'unsafe-eval';
Expected Behavior
Next's inline
<script>
tags (including ones created from<Script>
components) should have the nonce value added.Should output:
To Reproduce
npx create-next-app --example with-strict-csp with-strict-csp-app
)npm run dev
)<script>
tags for the nonce value.The text was updated successfully, but these errors were encountered: