From 2bfaa7953d0580b71f69e5d61cb964dcf98873a7 Mon Sep 17 00:00:00 2001
From: blaine-arcjet <146491715+blaine-arcjet@users.noreply.github.com>
Date: Mon, 25 Nov 2024 08:21:51 -0700
Subject: [PATCH] fix(nosecone-next): Apply the correct defaults based on env
 (#2311)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I mistakenly flipped the logic on these defaults—`'unsafe-eval'` needs to be set *only* in development.
---
 nosecone-next/index.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nosecone-next/index.ts b/nosecone-next/index.ts
index d810e80e7..bb135b703 100644
--- a/nosecone-next/index.ts
+++ b/nosecone-next/index.ts
@@ -9,9 +9,9 @@ export const defaults = {
       scriptSrc:
         // Replace the defaults to remove `'self'`
         process.env.NODE_ENV === "development"
-          ? ([nonce, "'strict-dynamic'"] as const)
-          : // Next.js hot reloading relies on `eval` so we enable it in development
-            ([nonce, "'strict-dynamic'", "'unsafe-eval'"] as const),
+          ? // Next.js hot reloading relies on `eval` so we enable it in development
+            ([nonce, "'strict-dynamic'", "'unsafe-eval'"] as const)
+          : ([nonce, "'strict-dynamic'"] as const),
       styleSrc: [
         ...baseDefaults.contentSecurityPolicy.directives.styleSrc,
         "'unsafe-inline'",