Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split up the lib into multiple packages #66

Open
nibtime opened this issue Aug 2, 2022 · 0 comments
Open

Split up the lib into multiple packages #66

nibtime opened this issue Aug 2, 2022 · 0 comments
Assignees
@nibtime
Labels
enhancement New feature or request
Milestone
eins null

Comments

@nibtime
Copy link
Owner

nibtime commented Aug 2, 2022
edited
Loading

Motivation

The main problem regarding maintainability is that it is the single package that depends on latest Next as a whole.

  • to support more setups/versions of Next
  • to support next export,
  • decoupling from Vercel for more hosting providers.
  • to put out major releases gradually for the stuff that works and is tested and keep the more experimental packages in the minors.

@strict-csp/builder

  • basic utilities with typing/IntelliSense for dealing with CSPs, parse/stringify, merge, etc. with fluent builder interface
  • with stackable directive presets (presets for CSP directives #43) for services (GitHub, Vercel, Netlify, headless CMS, Google Fonts ....)
  • with separate crypto bundles for node and V8 runtime (@strict-csp/builder/dist/node, @strict-csp/builder/dist/v8) that include algorithms for hashing and nonce generation

Dependencies

none

@strict-csp/next-ssr

  • injects hashes into scripts with src during prerender or loads them by hashed trusted inline proxy
  • processes Head and initialProps.html for sources
  • writes out static CSP manifest to _next/~csp/csp-manifest.json (Static CSP manifest #40) for post-build-processing
  • additional processing of sources on top of scripts and inline styles can be implemented
  • augment CSP with nonce for dynamic pages

Dependencies

  • @strict-csp/builder
  • next >= 11 (peer) - the lowest version that supports next/script)

References

vercel/next.js#23993 (comment). This is a good reference for HTML processing for CSP with cheerio

@strict-csp/next-headers

  • build-time post-processing of _next/~csp/csp-manifest.json
  • can write out / extend headers with CSP configuration + data from CSP manifest for several hosting providers (vercel.json, firebase.json, Netlify _headers, ...)
  • enables hash-based strict CSP by Response header with reporting for static sites with next export

Dependencies

  • @strict-csp/builder
  • @strict-csp/next-ssr (peer)

Resources

@next-middleware/chainable

  • utilities to compose/chain middleware, required to ship reusable middleware with a package

Dependencies

  • next >= 12.2.4 (peer) - with stable root-level middleware and routing bugs fixed

@strict-csp/next-middleware

  • will have the best DX and versatility, with composable/chainable configuration
  • can factor in dynamic request data (Browser + Version) for CSP configuration

Dependencies

  • @strict-csp/builder
  • @strict-csp/next-ssr (peer)
  • @next-middleware/chainable

Originally posted by @nibtime in #60 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nibtime nibtime

Labels
enhancement New feature or request
Projects
None yet
Milestone
eins null
Development

No branches or pull requests
1 participant
@nibtime