@next-safe/[email protected]

Minor Changes

• #64 02ca36f Thanks @nibtime! - feat: ✨ Hash-based CSP with trusted proxy loader to support Firefox and Safari (fixes #63)

  • Avoids broken SRI validation of Firefox and Safari together with strict-dynamic

  • an important precursor for alternative configuration methods to middleware, that can't dynamically opt-out from strict-dynamic by user agent

• #64 02ca36f Thanks @nibtime! - rebuild/refactor lib into many small modules with CSP manifest (fixes #40)

  • writes out a single file to .next/static/~csp/csp-manifest.json with all information about trustable sources identified during SSR

  • precursor for a multi-package approach to support alternative configuration methods (described in https://github.com/nibtime/next-safe-middleware/discussions/60#discussioncomment-3259782)

  • perf: fetch CSP manifest only once on first access and cache for all subsequent middlewares

• #64 02ca36f Thanks @nibtime! - feat(csp): new CspBuilder class with fluent interface for safe and easy CSP construction + manipulation

@next-safe/[email protected]

Notes

• Next 12.2 brought some significant changes to script insertion behavior / ISR that break the lib in certain cases with prior versions

• All routes with getServerSideProps have to be wrapped with gsspWithNonceAppliedToCsp from now on for Nonce-based CSP to work

• Only Next >= 12.2 is supported by this lib from now on

Minor Changes

• #47 071f993 Thanks @nibtime! - provide gsspWithNonceAppliedToCsp and gipWithNonceAppliedToCsp wrappers to inject nonce into pages with getServerSideProps / getInitialProps.

  BREAKING CHANGE: nonce doesn't get applied to CSP automatically anymore. This extra step is neccessary
  as there is no longer a way of reliably do that with Next 12.2.

  BREAKING CHANGE: drop enhanceAppWithNonce, it's no longer needed as nonce is injected though getServerSideProps of routes/pages now. That's actually a good thing, because customizing renderPage is discouranged

• #47 f9ecbe3 Thanks @nibtime! - 💥 changes to ChainableMiddleware decrease resource utilization (fixes #45)

  • new MiddlewareChainContext interface

  perf: decrease CPU utilization

  • use ctx.cache.get and ctx.cache.set for caching CSP in middleware chain (no serialize/deserialize)
  • write to repsonse only once from chain cache at the end
  • remove unnecessary some double ops

  perf: decrease deployed size

  • use new built-in userAgent from next/server

  BREAKING CHANGE: supports only Stable middleware from now on (needs next >= 12.2, as is specified in peerDeps)

  BREAKING CHANGE: replace ua-parser-js with userAgent from next/server available since 12.2

  BREAKING CHANGE: ChainableMiddleware with (ctx: MiddlewareChainContext) as 3rd parameter.

  BREAKING CHANGE: turn positional params into named params for Configinitializer

Patch Changes

• #47 f9ecbe3 Thanks @nibtime! - fix(document): use any type (children and return value) for components of provideComponents(fixes #46)

• #47 071f993 Thanks @nibtime! - fix(document): support new script insertion behavior

  • handle getPreloadDynamicChunks and getPreloadMainLinks in <Head>
  • hash beforeInteractiveInlineScripts in <Head>
  • handle scripts also in drop-in component for <NextScript>
  • trustify scripts in initialProps.head

• #47 071f993 Thanks @nibtime! - fix(document): prevent application of nonce in production builds (fixes #49)

• #47 f9ecbe3 Thanks @nibtime! - provide base logical operators for chain matchers (request predicates): matchNot, matchAnd, matchOr

• #47 071f993 Thanks @nibtime! - fix(strictDynamic): exclude Safari from Hash-based Strict CSP

  • the problem is probably that Safari isn't truly CSP-3 compliant yet, like Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1409200. strict-dynamic seems to mess up SRI validation there.

• #47 071f993 Thanks @nibtime! - fix: consider basePath from next.config.js for writing and fetching hashes (fixes #48)

• #47 f9ecbe3 Thanks @nibtime! - fix: better isPageRequest matcher

  • exclude only basepaths /_next and /api
  • exclude all paths with file endings
  • exclude isPreviewModeRequest and isNextJsDataRequest (new matchers)

• #47 071f993 Thanks @nibtime! - perf(middleware): telemetry wrapper to log basic measurements and infos from middleware execution

• #47 f9ecbe3 Thanks @nibtime! - fix(csp): handle boolean directives correctly

@next-safe/[email protected]

Minor Changes

• #38 be1c950 Thanks @nibtime! - Internal redesign for Next.js 12.2 (req.page deprecated) (#37)

• #38 be1c950 Thanks @nibtime! - provide new middleware abstractions for Next.js 12.2 stable middleware

  • matchChain function that allows to disable chain execution for certain requests with a matcher (predicate on NextRequest)
  • continued function that allows to continue a middleware response to a middleware chain
  • isPageRequest matcher that matches only requests to Next.js pages

Patch Changes

• #38 be1c950 Thanks @nibtime! - fix: enhanceAppWithNonce as separate function.Must spread nonce into pageProps, else fails with Next 12.2

• #38 be1c950 Thanks @nibtime! - fix: guard critical section with lockfile when writing out hashes for CSP to file at build time

@next-safe/[email protected]

Minor Changes

• #36 2c8c5cd Thanks @nibtime! - new csp middleware with extensive Typing for IntelliSense CSP configuration

  • typing has been borrowed from the SvelteKit CSP Integration, which is excellent
  • handles annoying single quotes in the background, no need to think about them in code

• #36 2c8c5cd Thanks @nibtime! - versatile getCspInitialProps for _document.js

  • flag to opt into styles trustification for CSP
  • flag to opt out from script trustification for CSP
  • option to pass external raw css text to hash for CSP. For instance needed for Mantine, to pass extractCritical(initialProps.html).css (emotion)
  • option to enhance <App> (_app.js) with nonce from SSR (needed for React Providers that can consume a nonce)

• #36 2c8c5cd Thanks @nibtime! - helper to set up CSP violation reprting to Sentry with a one-liner

Patch Changes

• #36 2c8c5cd Thanks @nibtime! - use base64 encoding for nonce instead of Hex

• #32 c9d42e5 Thanks @boennemann! - fix: use open-ended peerDependency ranges

@next-safe/[email protected]

Minor Changes

• #24 af9b7ad Thanks @nibtime! - support exhaustive inline style hashing and noncing in document and strictInlineStyles middleware

Patch Changes

• #26 8340307 Thanks @nibtime! - update getPreNextScripts for the new <Script strategy="worker>" with partytown introduced in Next 12.1.1.

  • follow https://nextjs.org/docs/basic-features/script#off-loading-scripts-to-a-web-worker-experimental to set it up.

@next-safe/[email protected]

Patch Changes

• #20 0e5fe59 Thanks @nibtime! - add hash of empty string to style hashes. CSS-in-js frameworks like stitches seem to need it to not break during hydration

@next-safe/[email protected]

Patch Changes

• #18 b40cc05 Thanks @nibtime! - use correct call order in render() of custom Document components. That should prevent things from breaking in ISR mode.

• #18 b40cc05 Thanks @nibtime! - fetch script/style hashes for /404 route if a request has no route/page. This makes strict CSP work with a custom pages/404.js.

@next-safe/[email protected]

Minor Changes

• #15 e7b4193 Thanks @nibtime! - better bundling config + bundling of external utils. Saves around ~100% size for _middleware - important for edge where limit is 1MB

• #15 e7b4193 Thanks @nibtime! - provide an API handler for easy creation of a report procesing endpoint by Next/Vercel cloud function

• #17 b084027 Thanks @nibtime! - provide strictInlineStyles middleware. Extend dist/document to write out hashes of inline styles (Hash-based) or attach nonce to inline styles (Nonce-based).

• #17 b084027 Thanks @nibtime! - add tellsupported config option (a function) to strictDynamic. Allows for strong customization of fallback behavior by parsed user agent.

@next-safe/[email protected]

Minor Changes

• #13 67469d7 Thanks @nibtime! - provide a uniform middleware builder and configuration interface

• 6b8bbc1 Thanks @nibtime! - add configuration options to strictDynamic (allowUnsafeEval, reportOnly)

@next-safe/[email protected]

Patch Changes

• #11 7f44414 Thanks @nibtime! - add a undefined guard to browser support check of strictDynamic. This led to undesired behavior when user agent is empty/unknown.