fix: strict-dynamic not working on Next 12.2 - internal redesign #38
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
🦋 Changeset detectedLatest commit: d683cd1 The changes in this PR will be included in the next version bump. This PR includes changesets to release 2 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
nibtime
changed the title
Commit generated via `yarn stage`
Commit generated via `yarn stage`
Next 12.2 single middleware runs on everything, so the `chainMatch` abstraction with bailout from requests by predicate is necessary to run CSP/Security middleware on page request only. `continued` function can turn a regular middleware into a chainable to continue its response in another middleware chain
`req.page.name` ist deprecated, so there is no longer a way to access the file system route name in middleware (was not 100% reliable anyway). There is no replacement, so a redesign was necessary shift towards a single, "Static CSP Manifest" design, where all CSP sources (hashes) are collected and cached into single file(s). writing CSP sources (hashes) to txt at build time is done with lockfile semaphore, like it should have been from the beginning, as multiple workers have to write to the same file. The change should be non-breaking for versions < 12.2, as interfaces stayed the same, just the underlying way the hashes get into the CSP has changed Nonce-based is now completely handled in `getCspInitialProps` for dynamic pages
adapt to updated recommendation of `next/script` usage. Scripts with `beforeInteractive` have to be placed in `_document` now: https://nextjs.org/docs/basic-features/script#beforeinteractive For inline scripts that need to load beforeInteractive, can be put as directly as children of `<Head>` in _document and will automatically hashed/nonced
update infos in package.json
nibtime
changed the title
Merged
|
Hi @philhack thanks for the offer to help out! I released 0.8.0 to NPM yesterday that works for 12.2. Currently, I am trying to shift code out of the PoC state bit by bit towards the first major version, which only now makes sense, that middleware itself is stable. I also didn't think that there would be people who like to use this :D Very essential is also #42, any good ideas there are most welcome. Cheers! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #37