-
Notifications
You must be signed in to change notification settings - Fork 26.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: pass nonce
to next/script
with afterInteractive
strategy
#56995
Conversation
Allow CI Workflow Run
Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer |
43ac5d0
to
43b467c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, as ReactDOMFloat
does have nonce
(https://github.com/facebook/react/blob/6db7f4209e6f32ebde298a0b7451710dd6aa3e19/packages/react-dom/src/shared/ReactDOMFloat.js#L129) supports.
@SukkaW, anything else you need from me? |
43b467c
to
cdb18a1
Compare
@timneutkens @ijjk, sorry for the ping but any chance we can get this reviewed and merged :)? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at these it seems there is another case that is missing the nonce on preload 🤔 https://github.com/vercel/next.js/pull/56995/files#diff-d7794cd766752e9cdff323db1f142a20fc6ac348eb399d0ec5f600ed122d4b0eR346-R348
Stats from current PRDefault Build (Increase detected
|
vercel/next.js canary | kevva/next.js fix-after-interactive-nonce | Change | |
---|---|---|---|
buildDuration | 14.1s | 13.9s | N/A |
buildDurationCached | 7.4s | 6.3s | N/A |
nodeModulesSize | 199 MB | 199 MB | |
nextStartRea..uration (ms) | 395ms | 406ms | N/A |
Client Bundles (main, webpack)
vercel/next.js canary | kevva/next.js fix-after-interactive-nonce | Change | |
---|---|---|---|
2453-HASH.js gzip | 31.4 kB | 31.4 kB | N/A |
3304.HASH.js gzip | 181 B | 181 B | ✓ |
3f784ff6-HASH.js gzip | 53.7 kB | 53.7 kB | ✓ |
8299-HASH.js gzip | 5.04 kB | 5.04 kB | N/A |
framework-HASH.js gzip | 45.2 kB | 45.2 kB | ✓ |
main-app-HASH.js gzip | 241 B | 242 B | N/A |
main-HASH.js gzip | 32.2 kB | 32.2 kB | N/A |
webpack-HASH.js gzip | 1.68 kB | 1.68 kB | N/A |
Overall change | 99 kB | 99 kB | ✓ |
Legacy Client Bundles (polyfills)
vercel/next.js canary | kevva/next.js fix-after-interactive-nonce | Change | |
---|---|---|---|
polyfills-HASH.js gzip | 31 kB | 31 kB | ✓ |
Overall change | 31 kB | 31 kB | ✓ |
Client Pages
vercel/next.js canary | kevva/next.js fix-after-interactive-nonce | Change | |
---|---|---|---|
_app-HASH.js gzip | 196 B | 197 B | N/A |
_error-HASH.js gzip | 184 B | 184 B | ✓ |
amp-HASH.js gzip | 505 B | 505 B | ✓ |
css-HASH.js gzip | 324 B | 325 B | N/A |
dynamic-HASH.js gzip | 2.5 kB | 2.5 kB | N/A |
edge-ssr-HASH.js gzip | 258 B | 258 B | ✓ |
head-HASH.js gzip | 352 B | 352 B | ✓ |
hooks-HASH.js gzip | 370 B | 371 B | N/A |
image-HASH.js gzip | 4.21 kB | 4.21 kB | ✓ |
index-HASH.js gzip | 259 B | 259 B | ✓ |
link-HASH.js gzip | 2.67 kB | 2.67 kB | N/A |
routerDirect..HASH.js gzip | 314 B | 312 B | N/A |
script-HASH.js gzip | 386 B | 386 B | ✓ |
withRouter-HASH.js gzip | 309 B | 309 B | ✓ |
1afbb74e6ecf..834.css gzip | 106 B | 106 B | ✓ |
Overall change | 6.57 kB | 6.57 kB | ✓ |
Client Build Manifests
vercel/next.js canary | kevva/next.js fix-after-interactive-nonce | Change | |
---|---|---|---|
_buildManifest.js gzip | 481 B | 484 B | N/A |
Overall change | 0 B | 0 B | ✓ |
Rendered Page Sizes
vercel/next.js canary | kevva/next.js fix-after-interactive-nonce | Change | |
---|---|---|---|
index.html gzip | 529 B | 529 B | ✓ |
link.html gzip | 541 B | 542 B | N/A |
withRouter.html gzip | 524 B | 523 B | N/A |
Overall change | 529 B | 529 B | ✓ |
Edge SSR bundle Size
vercel/next.js canary | kevva/next.js fix-after-interactive-nonce | Change | |
---|---|---|---|
edge-ssr.js gzip | 95.3 kB | 95.3 kB | N/A |
page.js gzip | 3.04 kB | 3.04 kB | N/A |
Overall change | 0 B | 0 B | ✓ |
Middleware size
vercel/next.js canary | kevva/next.js fix-after-interactive-nonce | Change | |
---|---|---|---|
middleware-b..fest.js gzip | 626 B | 625 B | N/A |
middleware-r..fest.js gzip | 151 B | 151 B | ✓ |
middleware.js gzip | 25.5 kB | 25.5 kB | N/A |
edge-runtime..pack.js gzip | 839 B | 839 B | ✓ |
Overall change | 990 B | 990 B | ✓ |
Next Runtimes
vercel/next.js canary | kevva/next.js fix-after-interactive-nonce | Change | |
---|---|---|---|
app-page-exp...dev.js gzip | 170 kB | 170 kB | ✓ |
app-page-exp..prod.js gzip | 97 kB | 97 kB | ✓ |
app-page-tur..prod.js gzip | 98.8 kB | 98.8 kB | ✓ |
app-page-tur..prod.js gzip | 93 kB | 93 kB | ✓ |
app-page.run...dev.js gzip | 144 kB | 144 kB | ✓ |
app-page.run..prod.js gzip | 91.5 kB | 91.5 kB | ✓ |
app-route-ex...dev.js gzip | 21.4 kB | 21.4 kB | ✓ |
app-route-ex..prod.js gzip | 15.2 kB | 15.2 kB | ✓ |
app-route-tu..prod.js gzip | 15.2 kB | 15.2 kB | ✓ |
app-route-tu..prod.js gzip | 14.9 kB | 14.9 kB | ✓ |
app-route.ru...dev.js gzip | 21.1 kB | 21.1 kB | ✓ |
app-route.ru..prod.js gzip | 14.9 kB | 14.9 kB | ✓ |
pages-api-tu..prod.js gzip | 9.55 kB | 9.55 kB | ✓ |
pages-api.ru...dev.js gzip | 9.82 kB | 9.82 kB | ✓ |
pages-api.ru..prod.js gzip | 9.55 kB | 9.55 kB | ✓ |
pages-turbo...prod.js gzip | 22.5 kB | 22.5 kB | ✓ |
pages.runtim...dev.js gzip | 23.1 kB | 23.1 kB | ✓ |
pages.runtim..prod.js gzip | 22.4 kB | 22.4 kB | ✓ |
server.runti..prod.js gzip | 51 kB | 51 kB | ✓ |
Overall change | 945 kB | 945 kB | ✓ |
build cache Overall increase ⚠️
vercel/next.js canary | kevva/next.js fix-after-interactive-nonce | Change | |
---|---|---|---|
0.pack gzip | 1.58 MB | 1.58 MB | |
index.pack gzip | 106 kB | 106 kB | N/A |
Overall change | 1.58 MB | 1.58 MB |
Diff details
Diff for middleware.js
Diff too large to display
Diff for main-HASH.js
Diff too large to display
Failing test suitesCommit: b32d9a9
Expand output● app dir - with output export - dynamic api route prod › production mode › should work in prod with dynamicPage 'force-static'
Read more about building and testing Next.js in contributing.md. |
Not sure they're needed if |
Hey @kevva It seems like this PR is almost ready, we just need to decide on the |
@kevva The So I guess it's required, and the suggestion from @timneutkens should be implemented? Cc @leerob @ijjk @gnoff @danieltott this is currently causing strict CSPs to report errors on preload requests when using |
21a5e90
to
b04a847
Compare
@timneutkens, I addressed the |
@timneutkens @karlhorky My team is hoping this PR will be merged in soon. It's currently blocking our transition from Pages Router to App Router because of the CSP requirement our broader org sets. This feels like it's close to the finish line—anything I can do to speed this up? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added change and test look good just expanded it a bit, thanks for the PR!
What?
This fixes an issue where the
nonce
attribute isn't set onnext/script
elements that has theafterInteractive
(the default) strategy resulting in<link rel="preload" as="script"/>
tags without a nonce.Why?
For apps that uses 3rd party scripts (or any script) with a nonce loaded via
next/script
this is necessary unless you want them all to usebeforeInteractive
which isn't super nice for performance.