Release 0.13.0-alpha #39
@@ -14,7 +14,7 @@ const cspDirectives = [
|
|||||||
"style-src 'self' 'unsafe-inline'",
|
"style-src 'self' 'unsafe-inline'",
|
||||||
"img-src 'self' data: blob: https://www.google.com https://*.gstatic.com https://ciphera.net",
|
"img-src 'self' data: blob: https://www.google.com https://*.gstatic.com https://ciphera.net",
|
||||||
"font-src 'self'",
|
"font-src 'self'",
|
||||||
`connect-src 'self' https://*.ciphera.net https://cdn.jsdelivr.net${process.env.NODE_ENV === 'development' ? ' http://localhost:*' : ''}`,
|
`connect-src 'self' https://*.ciphera.net https://ciphera.net https://www.google.com https://*.gstatic.com https://cdn.jsdelivr.net${process.env.NODE_ENV === 'development' ? ' http://localhost:*' : ''}`,
|
||||||
"worker-src 'self'",
|
"worker-src 'self'",
|
||||||
"frame-src 'none'",
|
"frame-src 'none'",
|
||||||
|
|
|||||||
"object-src 'none'",
|
"object-src 'none'",
|
||||||
|
|||||||
Reference in New Issue
Block a user
'unsafe-inline'in productionscript-srcneutralises XSS protectionThe comment acknowledges this is required for Next.js bootstrap scripts, but browsers ignore the entire
script-srcallowlist when'unsafe-inline'is present (unless a nonce or hash is also provided). This means thescript-src 'self'restriction has no effect in production — any inline script injected by an attacker will execute freely.The recommended approach for Next.js is to use a per-request nonce (via
generateBuildId/ middleware) and emitscript-src 'nonce-{value}'rather than'unsafe-inline'. That is non-trivial to set up, but as long as'unsafe-inline'is present thescript-srcdirective is essentially no-op from a security standpoint. At a minimum, this is worth a code comment so future contributors don't assume XSS protection is in force.Prompt To Fix With AI