No nonce on script element in body added by Next chunk preloading? #28658
Replies: 1 comment
-
Hey folks, wanted to swing back here with an update. After digging through many different issues and discussions, I've made a new page in the documentation (PR) specifically for Content Security Policy and nonces. This docs page:
Further, we've patched some bugs and made improvements to Really hope this helps out, thank you all 🙏 I'll be closing this discussion out. To continue the discussion, please go here. |
Beta Was this translation helpful? Give feedback.
-
Hi!
Trying to implement
strict dynamic
CSP rules, suggested here, to avoid "allow listening" of domains.Seems to work in Chrome so far but I have stumble across a problem in Safari. Safari doesn't support CSP level 3/
strict dynamic
, instead it uses a fallback rule based onnonce
.Error is a bit vague but I think I have problem because Next preload chunks via script elements added to the bottom of the body (when using the link component). Those script elements does not have a
nonce
attribute.Is there any way to add
nonce
to those scripts?CSP error in Safari:
CSP error report:
Beta Was this translation helpful? Give feedback.
All reactions