You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey! I'm using the package in a repo that uses getServerSideProps. Following the strict CSP configuration, every getServerSideProps is wrapped with gsspWithNonce, and it works fine, setting the correct Content-Security-Policy header.
However, if reportOnly is set to true, it ends up setting an empty Content-Security-Policy-Report-Only header.
After some debugging, I've found out that although the headers are correctly set in the middleware, they get overridden with an empty value on the document getIinitialProps because getCspInitialProps uses a getter that contains a bug:
Notice that the directives returned from the report-only block should use the report-only header, i.e.:
Hey! I'm using the package in a repo that uses
getServerSideProps. Following the strict CSP configuration, every getServerSideProps is wrapped with gsspWithNonce, and it works fine, setting the correct Content-Security-Policy header.However, if
reportOnlyis set to true, it ends up setting an empty Content-Security-Policy-Report-Only header.After some debugging, I've found out that although the headers are correctly set in the middleware, they get overridden with an empty value on the document
getIinitialPropsbecause getCspInitialProps uses a getter that contains a bug:Notice that the directives returned from the report-only block should use the report-only header, i.e.:
The text was updated successfully, but these errors were encountered: