feat!(next/image): change default Content-Disposition to attachment
#65631
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
styfle
requested review from
timneutkens,
ijjk,
shuding,
huozhi,
ztanner,
a team,
feedthejim and
wyattjoh
as code owners
styfle
requested review from
timeyoutakeit and
leerob
and removed request for
a team
ijjk
added
created-by: Next.js team
|
All broken links are now fixed, thank you! |
Tests Passed |
Stats from current PRDefault Build (Increase detected
|
| vercel/next.js canary | vercel/next.js styfle/img-content-disposition-attachment | Change | |
|---|---|---|---|
| buildDuration | 21.6s | 20.1s | N/A |
| buildDurationCached | 11.9s | 10.1s | N/A |
| nodeModulesSize | 345 MB | 345 MB | |
| nextStartRea..uration (ms) | 498ms | 505ms | N/A |
Client Bundles (main, webpack)
| vercel/next.js canary | vercel/next.js styfle/img-content-disposition-attachment | Change | |
|---|---|---|---|
| 2262-HASH.js gzip | 5.06 kB | 5.06 kB | N/A |
| 69089819-HASH.js gzip | 50.8 kB | 50.8 kB | N/A |
| 7522.HASH.js gzip | 169 B | 169 B | ✓ |
| 9921-HASH.js gzip | 33.6 kB | 33.6 kB | N/A |
| framework-HASH.js gzip | 55.8 kB | 55.8 kB | N/A |
| main-app-HASH.js gzip | 227 B | 228 B | N/A |
| main-HASH.js gzip | 32.3 kB | 32.3 kB | N/A |
| webpack-HASH.js gzip | 1.71 kB | 1.7 kB | N/A |
| Overall change | 169 B | 169 B | ✓ |
Legacy Client Bundles (polyfills)
| vercel/next.js canary | vercel/next.js styfle/img-content-disposition-attachment | Change | |
|---|---|---|---|
| polyfills-HASH.js gzip | 31 kB | 31 kB | ✓ |
| Overall change | 31 kB | 31 kB | ✓ |
Client Pages
| vercel/next.js canary | vercel/next.js styfle/img-content-disposition-attachment | Change | |
|---|---|---|---|
| _app-HASH.js gzip | 191 B | 193 B | N/A |
| _error-HASH.js gzip | 192 B | 192 B | ✓ |
| amp-HASH.js gzip | 510 B | 511 B | N/A |
| css-HASH.js gzip | 341 B | 342 B | N/A |
| dynamic-HASH.js gzip | 2.52 kB | 2.52 kB | ✓ |
| edge-ssr-HASH.js gzip | 266 B | 265 B | N/A |
| head-HASH.js gzip | 365 B | 365 B | ✓ |
| hooks-HASH.js gzip | 392 B | 392 B | ✓ |
| image-HASH.js gzip | 4.27 kB | 4.27 kB | N/A |
| index-HASH.js gzip | 268 B | 268 B | ✓ |
| link-HASH.js gzip | 2.69 kB | 2.69 kB | N/A |
| routerDirect..HASH.js gzip | 327 B | 329 B | N/A |
| script-HASH.js gzip | 392 B | 396 B | N/A |
| withRouter-HASH.js gzip | 324 B | 324 B | ✓ |
| 1afbb74e6ecf..834.css gzip | 106 B | 106 B | ✓ |
| Overall change | 4.17 kB | 4.17 kB | ✓ |
Client Build Manifests
| vercel/next.js canary | vercel/next.js styfle/img-content-disposition-attachment | Change | |
|---|---|---|---|
| _buildManifest.js gzip | 484 B | 486 B | N/A |
| Overall change | 0 B | 0 B | ✓ |
Rendered Page Sizes
| vercel/next.js canary | vercel/next.js styfle/img-content-disposition-attachment | Change | |
|---|---|---|---|
| index.html gzip | 528 B | 530 B | N/A |
| link.html gzip | 541 B | 543 B | N/A |
| withRouter.html gzip | 522 B | 525 B | N/A |
| Overall change | 0 B | 0 B | ✓ |
Edge SSR bundle Size
| vercel/next.js canary | vercel/next.js styfle/img-content-disposition-attachment | Change | |
|---|---|---|---|
| edge-ssr.js gzip | 120 kB | 120 kB | N/A |
| page.js gzip | 180 kB | 180 kB | N/A |
| Overall change | 0 B | 0 B | ✓ |
Middleware size
| vercel/next.js canary | vercel/next.js styfle/img-content-disposition-attachment | Change | |
|---|---|---|---|
| middleware-b..fest.js gzip | 661 B | 658 B | N/A |
| middleware-r..fest.js gzip | 156 B | 156 B | ✓ |
| middleware.js gzip | 25.7 kB | 25.7 kB | N/A |
| edge-runtime..pack.js gzip | 839 B | 839 B | ✓ |
| Overall change | 995 B | 995 B | ✓ |
Next Runtimes
| vercel/next.js canary | vercel/next.js styfle/img-content-disposition-attachment | Change | |
|---|---|---|---|
| app-page-exp...dev.js gzip | 174 kB | 174 kB | N/A |
| app-page-exp..prod.js gzip | 106 kB | 106 kB | N/A |
| app-page-tur..prod.js gzip | 115 kB | 115 kB | N/A |
| app-page-tur..prod.js gzip | 95 kB | 95 kB | N/A |
| app-page.run...dev.js gzip | 160 kB | 160 kB | N/A |
| app-page.run..prod.js gzip | 93.6 kB | 93.6 kB | N/A |
| app-route-ex...dev.js gzip | 20.9 kB | 20.9 kB | ✓ |
| app-route-ex..prod.js gzip | 15 kB | 15 kB | ✓ |
| app-route-tu..prod.js gzip | 15 kB | 15 kB | ✓ |
| app-route-tu..prod.js gzip | 14.8 kB | 14.8 kB | ✓ |
| app-route.ru...dev.js gzip | 20.7 kB | 20.7 kB | ✓ |
| app-route.ru..prod.js gzip | 14.8 kB | 14.8 kB | ✓ |
| pages-api-tu..prod.js gzip | 9.55 kB | 9.55 kB | ✓ |
| pages-api.ru...dev.js gzip | 9.82 kB | 9.82 kB | ✓ |
| pages-api.ru..prod.js gzip | 9.55 kB | 9.55 kB | ✓ |
| pages-turbo...prod.js gzip | 21.5 kB | 21.5 kB | N/A |
| pages.runtim...dev.js gzip | 22 kB | 22 kB | N/A |
| pages.runtim..prod.js gzip | 21.4 kB | 21.4 kB | ✓ |
| server.runti..prod.js gzip | 51.8 kB | 51.8 kB | ✓ |
| Overall change | 203 kB | 203 kB | ✓ |
build cache Overall increase ⚠️
| vercel/next.js canary | vercel/next.js styfle/img-content-disposition-attachment | Change | |
|---|---|---|---|
| 0.pack gzip | 1.64 MB | 1.65 MB | |
| index.pack gzip | 126 kB | 126 kB | N/A |
| Overall change | 1.64 MB | 1.65 MB |
Diff details
Diff for page.js
Diff too large to display
Diff for middleware.js
Diff too large to display
Diff for edge-ssr.js
Diff too large to display
Diff for image-HASH.js
@@ -1,7 +1,7 @@
(self["webpackChunk_N_E"] = self["webpackChunk_N_E"] || []).push([
[8358],
{
- /***/ 5497: /***/ (
+ /***/ 2307: /***/ (
__unused_webpack_module,
__unused_webpack_exports,
__webpack_require__
@@ -9,7 +9,7 @@
(window.__NEXT_P = window.__NEXT_P || []).push([
"/image",
function () {
- return __webpack_require__(7374);
+ return __webpack_require__(6812);
},
]);
if (false) {
@@ -18,7 +18,7 @@
/***/
},
- /***/ 3508: /***/ (module, exports, __webpack_require__) => {
+ /***/ 6470: /***/ (module, exports, __webpack_require__) => {
"use strict";
/* __next_internal_client_entry_do_not_use__ cjs */
Object.defineProperty(exports, "__esModule", {
@@ -40,15 +40,15 @@
__webpack_require__(5439)
);
const _head = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(8279)
+ __webpack_require__(5691)
);
- const _getimgprops = __webpack_require__(1598);
- const _imageconfig = __webpack_require__(134);
- const _imageconfigcontextsharedruntime = __webpack_require__(7837);
- const _warnonce = __webpack_require__(8099);
- const _routercontextsharedruntime = __webpack_require__(7475);
+ const _getimgprops = __webpack_require__(2069);
+ const _imageconfig = __webpack_require__(8526);
+ const _imageconfigcontextsharedruntime = __webpack_require__(2608);
+ const _warnonce = __webpack_require__(8309);
+ const _routercontextsharedruntime = __webpack_require__(4990);
const _imageloader = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(9190)
+ __webpack_require__(7291)
);
// This is replaced by webpack define plugin
const configEnv = {
@@ -376,7 +376,7 @@
/***/
},
- /***/ 1598: /***/ (
+ /***/ 2069: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -392,9 +392,9 @@
return getImgProps;
},
});
- const _warnonce = __webpack_require__(8099);
- const _imageblursvg = __webpack_require__(6874);
- const _imageconfig = __webpack_require__(134);
+ const _warnonce = __webpack_require__(8309);
+ const _imageblursvg = __webpack_require__(7976);
+ const _imageconfig = __webpack_require__(8526);
const VALID_LOADING_VALUES =
/* unused pure expression or super */ null && [
"lazy",
@@ -769,7 +769,7 @@
/***/
},
- /***/ 6874: /***/ (__unused_webpack_module, exports) => {
+ /***/ 7976: /***/ (__unused_webpack_module, exports) => {
"use strict";
/**
* A shared function, used on both client and server, to generate a SVG blur placeholder.
@@ -824,7 +824,7 @@
/***/
},
- /***/ 2028: /***/ (
+ /***/ 4186: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -851,10 +851,10 @@
},
});
const _interop_require_default = __webpack_require__(1478);
- const _getimgprops = __webpack_require__(1598);
- const _imagecomponent = __webpack_require__(3508);
+ const _getimgprops = __webpack_require__(2069);
+ const _imagecomponent = __webpack_require__(6470);
const _imageloader = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(9190)
+ __webpack_require__(7291)
);
function getImageProps(imgProps) {
const { props } = (0, _getimgprops.getImgProps)(imgProps, {
@@ -886,7 +886,7 @@
/***/
},
- /***/ 9190: /***/ (__unused_webpack_module, exports) => {
+ /***/ 7291: /***/ (__unused_webpack_module, exports) => {
"use strict";
Object.defineProperty(exports, "__esModule", {
@@ -921,7 +921,7 @@
/***/
},
- /***/ 7374: /***/ (
+ /***/ 6812: /***/ (
__unused_webpack_module,
__webpack_exports__,
__webpack_require__
@@ -938,8 +938,8 @@
// EXTERNAL MODULE: ./node_modules/.pnpm/react@19.0.0-beta-4508873393-20240430/node_modules/react/jsx-runtime.js
var jsx_runtime = __webpack_require__(3456);
- // EXTERNAL MODULE: ./node_modules/.pnpm/file+..+main-repo+packages+next+next-packed.tgz_react-dom@19.0.0-beta-4508873393-20240430_rea_65yyqpgvftv4sckwrae5ytuiki/node_modules/next/image.js
- var next_image = __webpack_require__(5008);
+ // EXTERNAL MODULE: ./node_modules/.pnpm/file+..+diff-repo+packages+next+next-packed.tgz_react-dom@19.0.0-beta-4508873393-20240430_rea_bi4li5t763kdoqq4snruxkmfcu/node_modules/next/image.js
+ var next_image = __webpack_require__(932);
var image_default = /*#__PURE__*/ __webpack_require__.n(next_image); // CONCATENATED MODULE: ./pages/nextjs.png
/* harmony default export */ const nextjs = {
src: "/_next/static/media/nextjs.cae0b805.png",
@@ -969,12 +969,12 @@
/***/
},
- /***/ 5008: /***/ (
+ /***/ 932: /***/ (
module,
__unused_webpack_exports,
__webpack_require__
) => {
- module.exports = __webpack_require__(2028);
+ module.exports = __webpack_require__(4186);
/***/
},
@@ -984,7 +984,7 @@
/******/ var __webpack_exec__ = (moduleId) =>
__webpack_require__((__webpack_require__.s = moduleId));
/******/ __webpack_require__.O(0, [2888, 9774, 179], () =>
- __webpack_exec__(5497)
+ __webpack_exec__(2307)
);
/******/ var __webpack_exports__ = __webpack_require__.O();
/******/ _N_E = __webpack_exports__;Diff for 2262-HASH.js
@@ -1,8 +1,8 @@
"use strict";
(self["webpackChunk_N_E"] = self["webpackChunk_N_E"] || []).push([
- [2262],
+ [9922],
{
- /***/ 2262: /***/ (module, exports, __webpack_require__) => {
+ /***/ 9922: /***/ (module, exports, __webpack_require__) => {
/* __next_internal_client_entry_do_not_use__ cjs */
Object.defineProperty(exports, "__esModule", {
value: true,
@@ -13,25 +13,25 @@
return Image;
},
});
- const _interop_require_default = __webpack_require__(5790);
- const _interop_require_wildcard = __webpack_require__(9295);
- const _jsxruntime = __webpack_require__(7001);
+ const _interop_require_default = __webpack_require__(7421);
+ const _interop_require_wildcard = __webpack_require__(9052);
+ const _jsxruntime = __webpack_require__(9401);
const _react = /*#__PURE__*/ _interop_require_wildcard._(
- __webpack_require__(5206)
+ __webpack_require__(7809)
);
const _reactdom = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(4047)
+ __webpack_require__(9941)
);
const _head = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(8171)
+ __webpack_require__(6353)
);
- const _getimgprops = __webpack_require__(3122);
- const _imageconfig = __webpack_require__(6913);
- const _imageconfigcontextsharedruntime = __webpack_require__(9371);
- const _warnonce = __webpack_require__(2082);
- const _routercontextsharedruntime = __webpack_require__(9469);
+ const _getimgprops = __webpack_require__(3210);
+ const _imageconfig = __webpack_require__(6701);
+ const _imageconfigcontextsharedruntime = __webpack_require__(289);
+ const _warnonce = __webpack_require__(3096);
+ const _routercontextsharedruntime = __webpack_require__(3144);
const _imageloader = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(7544)
+ __webpack_require__(2975)
);
// This is replaced by webpack define plugin
const configEnv = {
@@ -360,7 +360,7 @@
/***/
},
- /***/ 2761: /***/ (
+ /***/ 6278: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -374,9 +374,9 @@
return AmpStateContext;
},
});
- const _interop_require_default = __webpack_require__(5790);
+ const _interop_require_default = __webpack_require__(7421);
const _react = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(5206)
+ __webpack_require__(7809)
);
const AmpStateContext = _react.default.createContext({});
if (false) {
@@ -385,7 +385,7 @@
/***/
},
- /***/ 6666: /***/ (__unused_webpack_module, exports) => {
+ /***/ 9854: /***/ (__unused_webpack_module, exports) => {
Object.defineProperty(exports, "__esModule", {
value: true,
});
@@ -407,7 +407,7 @@
/***/
},
- /***/ 3122: /***/ (
+ /***/ 3210: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -421,9 +421,9 @@
return getImgProps;
},
});
- const _warnonce = __webpack_require__(2082);
- const _imageblursvg = __webpack_require__(3074);
- const _imageconfig = __webpack_require__(6913);
+ const _warnonce = __webpack_require__(3096);
+ const _imageblursvg = __webpack_require__(374);
+ const _imageconfig = __webpack_require__(6701);
const VALID_LOADING_VALUES =
/* unused pure expression or super */ null && [
"lazy",
@@ -798,7 +798,7 @@
/***/
},
- /***/ 8171: /***/ (module, exports, __webpack_require__) => {
+ /***/ 6353: /***/ (module, exports, __webpack_require__) => {
/* __next_internal_client_entry_do_not_use__ cjs */
Object.defineProperty(exports, "__esModule", {
value: true,
@@ -819,19 +819,19 @@
return defaultHead;
},
});
- const _interop_require_default = __webpack_require__(5790);
- const _interop_require_wildcard = __webpack_require__(9295);
- const _jsxruntime = __webpack_require__(7001);
+ const _interop_require_default = __webpack_require__(7421);
+ const _interop_require_wildcard = __webpack_require__(9052);
+ const _jsxruntime = __webpack_require__(9401);
const _react = /*#__PURE__*/ _interop_require_wildcard._(
- __webpack_require__(5206)
+ __webpack_require__(7809)
);
const _sideeffect = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(5830)
+ __webpack_require__(3724)
);
- const _ampcontextsharedruntime = __webpack_require__(2761);
- const _headmanagercontextsharedruntime = __webpack_require__(2246);
- const _ampmode = __webpack_require__(6666);
- const _warnonce = __webpack_require__(2082);
+ const _ampcontextsharedruntime = __webpack_require__(6278);
+ const _headmanagercontextsharedruntime = __webpack_require__(4101);
+ const _ampmode = __webpack_require__(9854);
+ const _warnonce = __webpack_require__(3096);
function defaultHead(inAmpMode) {
if (inAmpMode === void 0) inAmpMode = false;
const head = [
@@ -1007,7 +1007,7 @@
/***/
},
- /***/ 3074: /***/ (__unused_webpack_module, exports) => {
+ /***/ 374: /***/ (__unused_webpack_module, exports) => {
/**
* A shared function, used on both client and server, to generate a SVG blur placeholder.
*/
@@ -1061,7 +1061,7 @@
/***/
},
- /***/ 9371: /***/ (
+ /***/ 289: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -1075,11 +1075,11 @@
return ImageConfigContext;
},
});
- const _interop_require_default = __webpack_require__(5790);
+ const _interop_require_default = __webpack_require__(7421);
const _react = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(5206)
+ __webpack_require__(7809)
);
- const _imageconfig = __webpack_require__(6913);
+ const _imageconfig = __webpack_require__(6701);
const ImageConfigContext = _react.default.createContext(
_imageconfig.imageConfigDefault
);
@@ -1089,7 +1089,7 @@
/***/
},
- /***/ 6913: /***/ (__unused_webpack_module, exports) => {
+ /***/ 6701: /***/ (__unused_webpack_module, exports) => {
Object.defineProperty(exports, "__esModule", {
value: true,
});
@@ -1128,7 +1128,7 @@
formats: ["image/webp"],
dangerouslyAllowSVG: false,
contentSecurityPolicy: "script-src 'none'; frame-src 'none'; sandbox;",
- contentDispositionType: "inline",
+ contentDispositionType: "attachment",
remotePatterns: [],
unoptimized: false,
}; //# sourceMappingURL=image-config.js.map
@@ -1136,7 +1136,7 @@
/***/
},
- /***/ 7544: /***/ (__unused_webpack_module, exports) => {
+ /***/ 2975: /***/ (__unused_webpack_module, exports) => {
Object.defineProperty(exports, "__esModule", {
value: true,
});
@@ -1169,7 +1169,7 @@
/***/
},
- /***/ 9469: /***/ (
+ /***/ 3144: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -1183,9 +1183,9 @@
return RouterContext;
},
});
- const _interop_require_default = __webpack_require__(5790);
+ const _interop_require_default = __webpack_require__(7421);
const _react = /*#__PURE__*/ _interop_require_default._(
- __webpack_require__(5206)
+ __webpack_require__(7809)
);
const RouterContext = _react.default.createContext(null);
if (false) {
@@ -1194,7 +1194,7 @@
/***/
},
- /***/ 5830: /***/ (
+ /***/ 3724: /***/ (
__unused_webpack_module,
exports,
__webpack_require__
@@ -1208,7 +1208,7 @@
return SideEffect;
},
});
- const _react = __webpack_require__(5206);
+ const _react = __webpack_require__(7809);
const isServer = typeof window === "undefined";
const useClientOnlyLayoutEffect = isServer
? () => {}Diff for main-HASH.js
Diff too large to display
Diff for app-page-exp..ntime.dev.js
Diff too large to display
Diff for app-page-exp..time.prod.js
Diff too large to display
Diff for app-page-tur..time.prod.js
Diff too large to display
Diff for app-page-tur..time.prod.js
Diff too large to display
Diff for app-page.runtime.dev.js
Diff too large to display
Diff for app-page.runtime.prod.js
Diff too large to display
Diff for pages-turbo...time.prod.js
Diff too large to display
Diff for pages.runtime.dev.js
Diff too large to display
Diff for pages.runtime.prod.js
Diff too large to display
ijjk
approved these changes
May 10, 2024
ijjk
approved these changes
May 10, 2024
panteliselef
pushed a commit
to panteliselef/next.js
that referenced
this pull request
May 20, 2024
…t` (vercel#65631) ### BREAKING CHANGE This changes the behavior of the default image `loader` so that [`Content-Disposition`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition#as_a_response_header_for_the_main_body) header is now `attachment` for added protection since the API can serve arbitrary remote images. The new default value, `attachment`, forces the browser to download the image when visiting directly. This is particularly important when `dangerouslyAllowSVG` is true. Most users will not notice the change since visiting pages won't behave any differently, only visiting images directly. Users can switch back to the old behavior by configuring `inline` in next.config.js ```js module.exports = { images: { contentDispositionType: 'inline', }, }
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
BREAKING CHANGE
This changes the behavior of the default image
loaderso thatContent-Dispositionheader is nowattachmentfor added protection since the API can serve arbitrary remote images.The new default value,
attachment, forces the browser to download the image when visiting directly. This is particularly important whendangerouslyAllowSVGis true. Most users will not notice the change since visiting pages won't behave any differently, only visiting images directly.Users can switch back to the old behavior by configuring
inlinein next.config.js