trezy
[BUG]: configuration of CSP report directives (report-uri, report-to) is unsound
Describe the bug
const nextSafe = require('next-safe');
const isDev = process.env.NODE_ENV !== 'production';
module.exports = {
async headers() {
return [
{
source: '/:path*',
headers: nextSafe({
isDev,
contentSecurityPolicy: {
'frame-ancestors': 'https://stackblitz.com',
// next-safe ensures that both directives have always the same value.
// It prefers report-to over report-uri if both are set.
// this doesn't make sense, for report-uri, a URL is expected.
// For report-to it is a group name of a Reporting API configuration.
// It requires a Report-To header for configuration
// see https://developers.google.com/web/updates/2018/09/reportingapi
'report-uri': 'https://example.com/csp-report-uri',
'report-to': 'default',
},
}),
},
];
},
};
Steps To Reproduce
https://stackblitz.com/edit/nextjs-d6qbyi?file=next.config.js
Version
v3.x.x
Relevant log output
base-uri 'none';child-src 'none';connect-src 'self' webpack://*;default-src 'self';font-src 'self';form-action 'self';frame-ancestors https://stackblitz.com;frame-src 'none';img-src 'self';manifest-src 'self';media-src 'self';object-src 'none';prefetch-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';worker-src 'self';report-uri default;report-to default;
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
Should we simply allow configuration of these directives separately to each other? Are there cases where they could be or should be the same?
Just an update here, I've come up with a pretty decent plan of attack to address this, and I'm looking to ship a solution with 4.0.0.
First things first, We're definitely going to de-couple these values, but that leaves users to manage Reporting-Endpoints on their own.
I'd like to add support for generating that header, and I'm looking into the possibility of simplifying configuration so a user only has to provide a single value. next-safe would just automatically handle the rest.
