Skip to content

feat(nextjs): Use strict param in CSP generation #5648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 16, 2025
Merged

feat(nextjs): Use strict param in CSP generation #5648

merged 2 commits into from
Apr 16, 2025

Conversation

@jacekradko
Copy link
Member

@jacekradko jacekradko commented Apr 16, 2025
edited
Loading

Description

We are going to adjust the CSP configuration option from mode to boolean strict

Fixes: SDKI-995

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

@changeset-bot
Copy link

changeset-bot bot commented Apr 16, 2025
edited
Loading

🦋 Changeset detected

Latest commit: c75997b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@clerk/nextjs Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Apr 16, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
clerk-js-sandbox ✅ Ready (Inspect) Visit Preview 💬 Add feedback Apr 16, 2025 8:09pm

@jacekradko jacekradko requested a review from Copilot April 16, 2025 20:10
Copilot AI reviewed Apr 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the Content Security Policy (CSP) configuration in the Next.js package to replace the mode string with a boolean strict parameter, enhancing security by conditionally applying the 'strict-dynamic' attribute and generating a nonce.

  • Replaces the CSP mode string with a boolean "strict" parameter in both API and documentation.
  • Updates related middleware and tests accordingly.
  • Removes the deprecated CSPMode type to streamline the API.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
packages/nextjs/src/server/content-security-policy.ts Updates CSP generation functions and documentation to use "strict"
packages/nextjs/src/server/clerkMiddleware.ts Adapts usage of createCSPHeader to the new "strict" parameter
packages/nextjs/src/server/tests/content-security-policy.test.ts Adjusts test cases to reflect the boolean "strict" parameter
.changeset/free-crews-sin.md Updates the changeset to communicate the change in CSP configuration

@jacekradko jacekradko merged commit b6bfe06 into main Apr 16, 2025
32 checks passed
@jacekradko jacekradko deleted the feat/change-next-middleware-csp-config branch April 16, 2025 21:15
@clerk-cookie clerk-cookie mentioned this pull request Apr 16, 2025
Merged
wobsoriano pushed a commit that referenced this pull request Apr 17, 2025
@jacekradko @wobsoriano
feat(nextjs): Use strict param in CSP generation (#5648)
b15a60f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tmilewski tmilewski tmilewski approved these changes

@dstaley dstaley dstaley approved these changes

Assignees

No one assigned

Labels

nextjs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jacekradko @tmilewski @dstaley @clerk-cookie