Does Next require 'unsafe-inline' in CSP script-src to run in production?
Unanswered
Siberian posted this in #help-forum
SiberianOP
Followed the docs, but don't want to use nonces and make every page dynamic
https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy#without-nonces
Results in the following error in production:
When running a check over https://securityheaders.com/ I get a warning on these
From my understanding, any React app is safe due to the rendering safety from the use of a virtual DOM and sanitization of content by default (as well as user inputs).
So, is it safe to keep 'unsafe-inline'?
https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy#without-nonces
script-src 'self' ${
process.env.NODE_ENV === "production" ? "" : `'unsafe-eval' 'unsafe-inline'`
}Results in the following error in production:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-dozbWxXM6emMbFfwZfaHs5BRe9i9pJ1HFrEVsjW5GQc='), or a nonce ('nonce-...') is required to enable inline execution.When running a check over https://securityheaders.com/ I get a warning on these
Content-Security-Policy This policy contains 'unsafe-inline' which is dangerous in the script-src directive. This policy contains 'unsafe-eval' which is dangerous in the script-src directive.From my understanding, any React app is safe due to the rendering safety from the use of a virtual DOM and sanitization of content by default (as well as user inputs).
So, is it safe to keep 'unsafe-inline'?
2 Replies
Snowshoe
Did you find a solution?
Australian Freshwater Crocodile
Using either
unsafe-inline or unsafe-eval is in general not a good idea. I'd recommend running the CSP header from your reponse against this tool to verify whether it is any good and has known bypasses: https://csp-evaluator.withgoogle.com/