Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Middleware added Nonce attributes missing from TypeScript production builds #66871

Open
andymagill opened this issue Jun 14, 2024 · 0 comments
Open

Middleware added Nonce attributes missing from TypeScript production builds #66871

andymagill opened this issue Jun 14, 2024 · 0 comments
Labels
bug Issue was opened via the bug report template. Documentation Related to Next.js' official documentation. Middleware Related to Next.js Middleware TypeScript Related to types with Next.js.

Comments

@andymagill
Copy link

Link to the code that reproduces this issue

https://github.com/andymagill/csp-middleware-nextjs-bug/tree/main

To Reproduce

  1. Create a local copy of the reproduction template via yarn create next-app --example reproduction-template reproduction-app
  2. Add the middleware.ts TypeScript (not JS) file from the documentation : https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy
  3. Build the project via yarn install then yarn run build then yarn run start
  4. Open the browser console to see CSP errors for each bundle. Alternatively, inspect the source of the server response to confirm bundles have no nonce attribute.

Current vs. Expected behavior

Current behavior: nonce attributes are missing from bundles
Expected behavior: nonce attributes are present on bundles

Provide environment information

Operating System:
  Platform: win32
  Arch: x64
  Version: Windows 11 Pro
  Available memory (MB): 16093
  Available CPU cores: 16
Binaries:
  Node: 20.11.0
  npm: N/A
  Yarn: N/A
  pnpm: N/A
Relevant Packages:
  next: 14.2.4 // Latest available version is detected (14.2.4).
  eslint-config-next: N/A
  react: 18.3.1
  react-dom: 18.3.1
  typescript: 4.9.5
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Documentation, Middleware, TypeScript

Which stage(s) are affected? (Select all that apply)

next build (local)

Additional context

This behavior appears to be specific to production builds of next.js typescript middleware. Running yarn run dev in the example repo works fine and correctly adds the nonce. The "with-strict-csp" example with the middleware.JS (not ts) also correctly adds the nonce on production builds.

Currently, I see no way to add nonces to Next.JS TypeScript projects using the documented methods.
@andymagill andymagill added the bug Issue was opened via the bug report template. label Jun 14, 2024
@github-actions github-actions bot added Documentation Related to Next.js' official documentation. Middleware Related to Next.js Middleware TypeScript Related to types with Next.js. labels Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Issue was opened via the bug report template. Documentation Related to Next.js' official documentation. Middleware Related to Next.js Middleware TypeScript Related to types with Next.js.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andymagill