-
Notifications
You must be signed in to change notification settings - Fork 26.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support adding CSP nonce with content-security-policy-report-only
header
#59071
Support adding CSP nonce with content-security-policy-report-only
header
#59071
Conversation
Allow CI Workflow Run
Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer |
Stats from current PRDefault BuildGeneral Overall increase
|
vercel/next.js canary | christianvuerings/next.js support-csp-report-only | Change | |
---|---|---|---|
buildDuration | 10.6s | 10.7s | N/A |
buildDurationCached | 5.9s | 6.6s | |
nodeModulesSize | 199 MB | 199 MB | |
nextStartRea..uration (ms) | 425ms | 420ms | N/A |
Client Bundles (main, webpack)
vercel/next.js canary | christianvuerings/next.js support-csp-report-only | Change | |
---|---|---|---|
199-HASH.js gzip | 30.7 kB | 30.7 kB | N/A |
3f784ff6-HASH.js gzip | 53.3 kB | 53.3 kB | ✓ |
494.HASH.js gzip | 180 B | 181 B | N/A |
framework-HASH.js gzip | 45.2 kB | 45.2 kB | ✓ |
main-app-HASH.js gzip | 241 B | 239 B | N/A |
main-HASH.js gzip | 31.7 kB | 31.7 kB | N/A |
webpack-HASH.js gzip | 1.7 kB | 1.7 kB | ✓ |
Overall change | 100 kB | 100 kB | ✓ |
Legacy Client Bundles (polyfills)
vercel/next.js canary | christianvuerings/next.js support-csp-report-only | Change | |
---|---|---|---|
polyfills-HASH.js gzip | 31 kB | 31 kB | ✓ |
Overall change | 31 kB | 31 kB | ✓ |
Client Pages
vercel/next.js canary | christianvuerings/next.js support-csp-report-only | Change | |
---|---|---|---|
_app-HASH.js gzip | 194 B | 195 B | N/A |
_error-HASH.js gzip | 182 B | 181 B | N/A |
amp-HASH.js gzip | 501 B | 503 B | N/A |
css-HASH.js gzip | 322 B | 323 B | N/A |
dynamic-HASH.js gzip | 2.5 kB | 2.5 kB | ✓ |
edge-ssr-HASH.js gzip | 253 B | 255 B | N/A |
head-HASH.js gzip | 348 B | 347 B | N/A |
hooks-HASH.js gzip | 369 B | 368 B | N/A |
image-HASH.js gzip | 4.27 kB | 4.27 kB | N/A |
index-HASH.js gzip | 256 B | 256 B | ✓ |
link-HASH.js gzip | 2.61 kB | 2.6 kB | N/A |
routerDirect..HASH.js gzip | 311 B | 311 B | ✓ |
script-HASH.js gzip | 384 B | 383 B | N/A |
withRouter-HASH.js gzip | 307 B | 308 B | N/A |
1afbb74e6ecf..834.css gzip | 106 B | 106 B | ✓ |
Overall change | 3.17 kB | 3.17 kB | ✓ |
Client Build Manifests
vercel/next.js canary | christianvuerings/next.js support-csp-report-only | Change | |
---|---|---|---|
_buildManifest.js gzip | 484 B | 483 B | N/A |
Overall change | 0 B | 0 B | ✓ |
Rendered Page Sizes
vercel/next.js canary | christianvuerings/next.js support-csp-report-only | Change | |
---|---|---|---|
index.html gzip | 529 B | 527 B | N/A |
link.html gzip | 541 B | 542 B | N/A |
withRouter.html gzip | 525 B | 522 B | N/A |
Overall change | 0 B | 0 B | ✓ |
Edge SSR bundle Size
vercel/next.js canary | christianvuerings/next.js support-csp-report-only | Change | |
---|---|---|---|
edge-ssr.js gzip | 92.6 kB | 92.6 kB | N/A |
page.js gzip | 145 kB | 145 kB | N/A |
Overall change | 0 B | 0 B | ✓ |
Middleware size
vercel/next.js canary | christianvuerings/next.js support-csp-report-only | Change | |
---|---|---|---|
middleware-b..fest.js gzip | 625 B | 625 B | ✓ |
middleware-r..fest.js gzip | 150 B | 151 B | N/A |
middleware.js gzip | 35.7 kB | 35.7 kB | N/A |
edge-runtime..pack.js gzip | 1.92 kB | 1.92 kB | ✓ |
Overall change | 2.55 kB | 2.55 kB | ✓ |
Next Runtimes
vercel/next.js canary | christianvuerings/next.js support-csp-report-only | Change | |
---|---|---|---|
app-page-exp...dev.js gzip | 168 kB | 168 kB | N/A |
app-page-exp..prod.js gzip | 93.7 kB | 93.8 kB | N/A |
app-page-tur..prod.js gzip | 94.5 kB | 94.5 kB | N/A |
app-page-tur..prod.js gzip | 89 kB | 89.1 kB | N/A |
app-page.run...dev.js gzip | 138 kB | 138 kB | N/A |
app-page.run..prod.js gzip | 88.4 kB | 88.4 kB | N/A |
app-route-ex...dev.js gzip | 24.2 kB | 24.2 kB | ✓ |
app-route-ex..prod.js gzip | 16.8 kB | 16.8 kB | ✓ |
app-route-tu..prod.js gzip | 16.9 kB | 16.9 kB | ✓ |
app-route-tu..prod.js gzip | 16.4 kB | 16.4 kB | ✓ |
app-route.ru...dev.js gzip | 23.6 kB | 23.6 kB | ✓ |
app-route.ru..prod.js gzip | 16.4 kB | 16.4 kB | ✓ |
pages-api-tu..prod.js gzip | 9.37 kB | 9.37 kB | ✓ |
pages-api.ru...dev.js gzip | 9.64 kB | 9.64 kB | ✓ |
pages-api.ru..prod.js gzip | 9.37 kB | 9.37 kB | ✓ |
pages-turbo...prod.js gzip | 21.9 kB | 21.9 kB | ✓ |
pages.runtim...dev.js gzip | 22.6 kB | 22.6 kB | ✓ |
pages.runtim..prod.js gzip | 21.9 kB | 21.9 kB | ✓ |
server.runti..prod.js gzip | 49.3 kB | 49.3 kB | ✓ |
Overall change | 258 kB | 258 kB | ✓ |
Diff details
Diff for page.js
Diff too large to display
Diff for app-page-exp..ntime.dev.js
failed to diff
Diff for app-page-exp..time.prod.js
Diff too large to display
Diff for app-page-tur..time.prod.js
Diff too large to display
Diff for app-page-tur..time.prod.js
Diff too large to display
Diff for app-page.runtime.dev.js
Diff too large to display
Diff for app-page.runtime.prod.js
Diff too large to display
Co-authored-by: Dan Ott <dan@dtott.com>
62ae651
to
8bc5ae7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing the conflicts! Added the original author as a co-author on the commit.
Note: this is mostly a copy of #48969 by @danieltott with all the merge conflicts fixed.
Checklist
content-security-policy-report-only
#48966test/production/app-dir/subresource-integrity/subresource-integrity.test.ts
Description
Currently
renderToHTMLOrFlight
in app-render pulls out a nonce value from acontent-security-policy
header for use in generating script tags:next.js/packages/next/src/server/app-render/app-render.tsx
Line 1204 in e7c9d3c
That misses the ability to use a content-security-policy-report-only header. Many times this is a required step to enabling a CSP - by shipping a CSP with report-only and collecting reports before actually blocking resources.
Changes
content-security-policy-report-only
header inrenderToHTMLOrFlight()
nonce
is correctly applied whencontent-security-policy-report-only
header exists