Our great sponsors
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
To achieve this, Next.js utilizes getScriptNonceFromHeader to extract the nonce from the CSP HTTP header. Then, AppRender includes the nonce in all script elements.
function getContentSecurityPolicyHeaderValue( nonce: string, reportUri: string, ): string { // Default CSP for Next.js const contentSecurityPolicyDirective = { 'base-uri': [`'self'`], 'default-src': [`'none'`], 'frame-ancestors': [`'none'`], 'font-src': [`'self'`], 'form-action': [`'self'`], 'frame-src': [`'self'`], 'connect-src': [`'self'`], 'img-src': [`'self'`], 'manifest-src': [`'self'`], 'object-src': [`'none'`], 'report-uri': [reportUri], // for old browsers like Firefox 'report-to': ['csp'], // for modern browsers like Chrome 'script-src': [ `'nonce-${nonce}'`, `'strict-dynamic'`, // force hashes and nonces over domain host lists ], 'style-src': [`'self'`], } if (process.env.NODE_ENV === 'development') { // Webpack use eval() in development mode for automatic JS reloading contentSecurityPolicyDirective['script-src'].push(`'unsafe-eval'`) } if (process.env.NEXT_PUBLIC_VERCEL_ENV === 'preview') { contentSecurityPolicyDirective['connect-src'].push('https://vercel.live') contentSecurityPolicyDirective['connect-src'].push('wss://*.pusher.com') contentSecurityPolicyDirective['img-src'].push('https://vercel.com') contentSecurityPolicyDirective['font-src'].push('https://vercel.live') contentSecurityPolicyDirective['frame-src'].push('https://vercel.live') contentSecurityPolicyDirective['style-src'].push('https://vercel.live') } return Object.entries(contentSecurityPolicyDirective) .map(([key, value]) => `${key} ${value.join(' ')}`) .join('; ') }