-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: strict-dynamic not working on Next 12.2 - internal redesign #38
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
🦋 Changeset detectedLatest commit: d683cd1 The changes in this PR will be included in the next version bump. This PR includes changesets to release 2 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Commit generated via `yarn stage`
Commit generated via `yarn stage`
Next 12.2 single middleware runs on everything, so the `chainMatch` abstraction with bailout from requests by predicate is necessary to run CSP/Security middleware on page request only. `continued` function can turn a regular middleware into a chainable to continue its response in another middleware chain
`req.page.name` ist deprecated, so there is no longer a way to access the file system route name in middleware (was not 100% reliable anyway). There is no replacement, so a redesign was necessary shift towards a single, "Static CSP Manifest" design, where all CSP sources (hashes) are collected and cached into single file(s). writing CSP sources (hashes) to txt at build time is done with lockfile semaphore, like it should have been from the beginning, as multiple workers have to write to the same file. The change should be non-breaking for versions < 12.2, as interfaces stayed the same, just the underlying way the hashes get into the CSP has changed Nonce-based is now completely handled in `getCspInitialProps` for dynamic pages
adapt to updated recommendation of `next/script` usage. Scripts with `beforeInteractive` have to be placed in `_document` now: https://nextjs.org/docs/basic-features/script#beforeinteractive For inline scripts that need to load beforeInteractive, can be put as directly as children of `<Head>` in _document and will automatically hashed/nonced
update infos in package.json
Hi @philhack thanks for the offer to help out! I released 0.8.0 to NPM yesterday that works for 12.2. Currently, I am trying to shift code out of the PoC state bit by bit towards the first major version, which only now makes sense, that middleware itself is stable. I also didn't think that there would be people who like to use this :D Very essential is also #42, any good ideas there are most welcome. Cheers! |
Fixes #37