Skip to content

Commit

Permalink
Only allow unsafe-eval in dev build
Browse files Browse the repository at this point in the history
  • Loading branch information
ekzyis committed Feb 11, 2024
1 parent f5fc261 commit adfa67f
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion middleware.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,11 @@ export function middleware (request) {
// see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-policy.
// Old browsers will ignore nonce and strict-dynamic
// and fallback to host matching, unsafe-inline and unsafe-eval (no protection against XSS)
`script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-${nonce}' 'strict-dynamic' https:`,
process.env.NODE_ENV === 'production'
? `script-src 'self' 'unsafe-inline' 'nonce-${nonce}' 'strict-dynamic' https:`
// unsafe-eval is required during development due to react-refresh.js
// see https://github.com/vercel/next.js/issues/14221
: `script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-${nonce}' 'strict-dynamic' https:`,
// unsafe-inline for styles is not ideal but okay if script-src is using nonces
"style-src 'self' a.stacker.news 'unsafe-inline'",
"manifest-src 'self'",
Expand Down

0 comments on commit adfa67f

Please sign in to comment.