fix(nosecone-next): Apply the correct defaults based on env (#2311)

I mistakenly flipped the logic on these defaults—`'unsafe-eval'` needs to be set *only* in development.
arcjet · Nov 25, 2024 · 2bfaa79 · 2bfaa79
1 parent 24d2ee3
commit 2bfaa79
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/nosecone-next/index.ts b/nosecone-next/index.ts
@@ -9,9 +9,9 @@ export const defaults = {
       scriptSrc:
         // Replace the defaults to remove `'self'`
         process.env.NODE_ENV === "development"
-          ? ([nonce, "'strict-dynamic'"] as const)
-          : // Next.js hot reloading relies on `eval` so we enable it in development
-            ([nonce, "'strict-dynamic'", "'unsafe-eval'"] as const),
+          ? // Next.js hot reloading relies on `eval` so we enable it in development
+            ([nonce, "'strict-dynamic'", "'unsafe-eval'"] as const)
+          : ([nonce, "'strict-dynamic'"] as const),
       styleSrc: [
         ...baseDefaults.contentSecurityPolicy.directives.styleSrc,
         "'unsafe-inline'",