feat(nosecone-next): Keep 'self' script-src in defaults (#2378)

This refactors the Nosecone Next.js adapter to keep `'self'` in the script-src CSP directive. Generally `'self'` is a warning but it makes integration easier. If `'strict-dynamic'` is specified `'self'` will be ignored as part of the fallback mechanism of CSP so it is fine for us to specify.
arcjet · Dec 2, 2024 · 13348c8 · 13348c8
1 parent 9141e7d
commit 13348c8
Showing 1 changed file with 16 additions and 7 deletions.
diff --git a/nosecone-next/index.ts b/nosecone-next/index.ts
@@ -8,15 +8,13 @@ export const defaults = {
   contentSecurityPolicy: {
     directives: {
       ...baseDefaults.contentSecurityPolicy.directives,
-      scriptSrc:
-        // Replace the defaults to remove `'self'`
-        process.env.NODE_ENV === "development"
-          ? // Next.js hot reloading relies on `eval` so we enable it in development
-            ([nonce, "'unsafe-eval'"] as const)
-          : ([nonce] as const),
+      scriptSrc: [
+        ...baseDefaults.contentSecurityPolicy.directives.scriptSrc,
+        ...nextScriptSrc(),
+      ],
       styleSrc: [
         ...baseDefaults.contentSecurityPolicy.directives.styleSrc,
-        "'unsafe-inline'",
+        ...nextStyleSrc(),
       ],
     },
   },
@@ -29,6 +27,17 @@ function nonce() {
   return `'nonce-${btoa(crypto.randomUUID())}'` as const;
 }
 
+function nextScriptSrc() {
+  return process.env.NODE_ENV === "development"
+    ? // Next.js hot reloading relies on `eval` so we enable it in development
+      ([nonce, "'unsafe-eval'"] as const)
+    : ([nonce] as const);
+}
+
+function nextStyleSrc() {
+  return ["'unsafe-inline'"] as const;
+}
+
 /**
  * Create Next.js middleware that sets secure headers on every request.
  *