Nonce doesn't applied to all scripts using turbopack #64037
Labels
bug
Issue was opened via the bug report template.
linear: turbopack
Confirmed issue that is tracked by the Turbopack team.
locked
Turbopack
Related to Turbopack with Next.js.
Comments
|
any thoughts on this? |
timneutkens
added
the
linear: turbopack
|
Created a significantly simpler reproduction: https://codesandbox.io/p/github/r34son/profile/csb-7xqzp4/draft/reverent-hill?file=%2Fsrc%2Fapp%2F%5Blocale%5D%2Flayout.tsx url: https://7xqzp4-3000.csb.app/en In the future please make sure that the reproduction linked is not a large application as it causes significant overhead/delays in fixing the issue as we have to manually figure out what you meant exactly being the root cause of the issue. I.e. I just spent 40 minutes deleting your application code. You were also using 5 different experimental flags in the reproduction. |
timneutkens
added a commit
that referenced
this issue
May 8, 2024
|
Added a failing test: #65508 |
|
Fixed it in #65508, thank for the report! |
|
@timneutkens Great news! Thank you! |
timneutkens
added a commit
that referenced
this issue
May 9, 2024
timneutkens
added a commit
that referenced
this issue
May 10, 2024
## What Ensures `nonce` is added to script and link tags Next.js renders. Additional cases it now handles: - We already passed `nonce` to the React rendering, though not consistently on all cases where `renderToStream` is called, I'm surprised there haven't been more reports of this, but now it will pass it on all cases where React rendering is called that I could find - In `get-layer-assets.tsx` we now pass `nonce` to both the `script` and `link` tags - When calling `ReactDOM.preload` the nonce was missing as well, ensured that the nonce is included in that case as well. Added a test that mimicks the reproduction by adding `next/font` in this case. Fixes #64037 Closes PACK-2973 <!-- Thanks for opening a PR! Your contribution is much appreciated. To make sure your PR is handled as smoothly as possible we request that you follow the checklist sections below. Choose the right checklist for the change(s) that you're making: ## For Contributors ### Improving Documentation - Run `pnpm prettier-fix` to fix formatting issues before opening the PR. - Read the Docs Contribution Guide to ensure your contribution follows the docs guidelines: https://nextjs.org/docs/community/contribution-guide ### Adding or Updating Examples - The "examples guidelines" are followed from our contributing doc https://github.com/vercel/next.js/blob/canary/contributing/examples/adding-examples.md - Make sure the linting passes by running `pnpm build && pnpm lint`. See https://github.com/vercel/next.js/blob/canary/contributing/repository/linting.md ### Fixing a bug - Related issues linked using `fixes #number` - Tests added. See: https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ### Adding a feature - Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. (A discussion must be opened, see https://github.com/vercel/next.js/discussions/new?category=ideas) - Related issues/discussions are linked using `fixes #number` - e2e tests added (https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs) - Documentation added - Telemetry added. In case of a feature if it's used or not. - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ## For Maintainers - Minimal description (aim for explaining to someone not on the team to understand the PR) - When linking to a Slack thread, you might want to share details of the conclusion - Link both the Linear (Fixes NEXT-xxx) and the GitHub issues - Add review comments if necessary to explain to the reviewer the logic behind a change ### What? ### Why? ### How? Closes NEXT- Fixes # -->
|
@timneutkens Found one more place where nonce isn't applied. Here in webpack chunk nonce is undefined somehow: |
panteliselef
pushed a commit
to panteliselef/next.js
that referenced
this issue
May 20, 2024
## What Ensures `nonce` is added to script and link tags Next.js renders. Additional cases it now handles: - We already passed `nonce` to the React rendering, though not consistently on all cases where `renderToStream` is called, I'm surprised there haven't been more reports of this, but now it will pass it on all cases where React rendering is called that I could find - In `get-layer-assets.tsx` we now pass `nonce` to both the `script` and `link` tags - When calling `ReactDOM.preload` the nonce was missing as well, ensured that the nonce is included in that case as well. Added a test that mimicks the reproduction by adding `next/font` in this case. Fixes vercel#64037 Closes PACK-2973 <!-- Thanks for opening a PR! Your contribution is much appreciated. To make sure your PR is handled as smoothly as possible we request that you follow the checklist sections below. Choose the right checklist for the change(s) that you're making: ## For Contributors ### Improving Documentation - Run `pnpm prettier-fix` to fix formatting issues before opening the PR. - Read the Docs Contribution Guide to ensure your contribution follows the docs guidelines: https://nextjs.org/docs/community/contribution-guide ### Adding or Updating Examples - The "examples guidelines" are followed from our contributing doc https://github.com/vercel/next.js/blob/canary/contributing/examples/adding-examples.md - Make sure the linting passes by running `pnpm build && pnpm lint`. See https://github.com/vercel/next.js/blob/canary/contributing/repository/linting.md ### Fixing a bug - Related issues linked using `fixes #number` - Tests added. See: https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ### Adding a feature - Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. (A discussion must be opened, see https://github.com/vercel/next.js/discussions/new?category=ideas) - Related issues/discussions are linked using `fixes #number` - e2e tests added (https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs) - Documentation added - Telemetry added. In case of a feature if it's used or not. - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ## For Maintainers - Minimal description (aim for explaining to someone not on the team to understand the PR) - When linking to a Slack thread, you might want to share details of the conclusion - Link both the Linear (Fixes NEXT-xxx) and the GitHub issues - Add review comments if necessary to explain to the reviewer the logic behind a change ### What? ### Why? ### How? Closes NEXT- Fixes # -->
|
This closed issue has been automatically locked because it had no new activity for 2 weeks. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Link to the code that reproduces this issue
https://github.com/r34son/profile
To Reproduce
Current vs. Expected behavior
few scripts without nonce
Provide environment information
Operating System: Platform: darwin Arch: arm64 Version: Darwin Kernel Version 23.3.0: Wed Dec 20 21:30:44 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T6000 Available memory (MB): 32768 Available CPU cores: 10 Binaries: Node: 20.12.0 npm: 10.5.0 Yarn: N/A pnpm: 8.15.6 Relevant Packages: next: 14.2.0-canary.55 // Latest available version is detected (14.2.0-canary.55). eslint-config-next: 14.1.4 react: 18.2.0 react-dom: 18.2.0 typescript: 5.4.3 Next.js Config: output: standaloneWhich area(s) are affected? (Select all that apply)
Turbopack (--turbo)
Which stage(s) are affected? (Select all that apply)
next dev (local)
Additional context
No response
PACK-2973
The text was updated successfully, but these errors were encountered: