Skip to content

Commit

Permalink
Merging 1faa6c7 into trunk-temp/pr-2378/6f2ccac0-f4c1-4628-8ea4-981e7…
Browse files Browse the repository at this point in the history
…0623f0c
  • Loading branch information
trunk-io[bot] authored Dec 2, 2024
2 parents 9141e7d + 1faa6c7 commit d5c92f0
Showing 1 changed file with 16 additions and 7 deletions.
23 changes: 16 additions & 7 deletions nosecone-next/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,13 @@ export const defaults = {
contentSecurityPolicy: {
directives: {
...baseDefaults.contentSecurityPolicy.directives,
scriptSrc:
// Replace the defaults to remove `'self'`
process.env.NODE_ENV === "development"
? // Next.js hot reloading relies on `eval` so we enable it in development
([nonce, "'unsafe-eval'"] as const)
: ([nonce] as const),
scriptSrc: [
...baseDefaults.contentSecurityPolicy.directives.scriptSrc,
...nextScriptSrc(),
],
styleSrc: [
...baseDefaults.contentSecurityPolicy.directives.styleSrc,
"'unsafe-inline'",
...nextStyleSrc(),
],
},
},
Expand All @@ -29,6 +27,17 @@ function nonce() {
return `'nonce-${btoa(crypto.randomUUID())}'` as const;
}

function nextScriptSrc() {
return process.env.NODE_ENV === "development"
? // Next.js hot reloading relies on `eval` so we enable it in development
([nonce, "'unsafe-eval'"] as const)
: ([nonce] as const);
}

function nextStyleSrc() {
return ["'unsafe-inline'"] as const;
}

/**
* Create Next.js middleware that sets secure headers on every request.
*
Expand Down

0 comments on commit d5c92f0

Please sign in to comment.