Releases: nibtime/next-safe-middleware
@next-safe/[email protected]
Minor Changes
-
#64
02ca36f
Thanks @nibtime! - feat: ✨ Hash-based CSP with trusted proxy loader to support Firefox and Safari (fixes #63)-
Avoids broken SRI validation of Firefox and Safari together with
strict-dynamic
-
an important precursor for alternative configuration methods to middleware, that can't dynamically opt-out from
strict-dynamic
by user agent
-
-
#64
02ca36f
Thanks @nibtime! - rebuild/refactor lib into many small modules with CSP manifest (fixes #40)-
writes out a single file to
.next/static/~csp/csp-manifest.json
with all information about trustable sources identified during SSR -
precursor for a multi-package approach to support alternative configuration methods (described in https://github.com/nibtime/next-safe-middleware/discussions/60#discussioncomment-3259782)
-
perf: fetch CSP manifest only once on first access and cache for all subsequent middlewares
-
-
#64
02ca36f
Thanks @nibtime! - feat(csp): newCspBuilder
class with fluent interface for safe and easy CSP construction + manipulation
@next-safe/[email protected]
Notes
-
Next 12.2 brought some significant changes to script insertion behavior / ISR that break the lib in certain cases with prior versions
-
All routes with
getServerSideProps
have to be wrapped withgsspWithNonceAppliedToCsp
from now on for Nonce-based CSP to work -
Only Next >= 12.2 is supported by this lib from now on
Minor Changes
-
#47
071f993
Thanks @nibtime! - providegsspWithNonceAppliedToCsp
andgipWithNonceAppliedToCsp
wrappers to inject nonce into pages withgetServerSideProps
/getInitialProps
.BREAKING CHANGE: nonce doesn't get applied to CSP automatically anymore. This extra step is neccessary
as there is no longer a way of reliably do that with Next 12.2.BREAKING CHANGE: drop
enhanceAppWithNonce
, it's no longer needed as nonce is injected thoughgetServerSideProps
of routes/pages now. That's actually a good thing, because customizingrenderPage
is discouranged -
#47
f9ecbe3
Thanks @nibtime! - 💥 changes toChainableMiddleware
decrease resource utilization (fixes #45)- new
MiddlewareChainContext
interface
perf: decrease CPU utilization
- use
ctx.cache.get
andctx.cache.set
for caching CSP in middleware chain (no serialize/deserialize) - write to repsonse only once from chain cache at the end
- remove unnecessary some double ops
perf: decrease deployed size
- use new built-in
userAgent
fromnext/server
BREAKING CHANGE: supports only Stable middleware from now on (needs
next >= 12.2
, as is specified in peerDeps)BREAKING CHANGE: replace
ua-parser-js
withuserAgent
fromnext/server
available since12.2
BREAKING CHANGE:
ChainableMiddleware
with(ctx: MiddlewareChainContext)
as 3rd parameter.BREAKING CHANGE: turn positional params into named params for
Configinitializer
- new
Patch Changes
-
#47
f9ecbe3
Thanks @nibtime! - fix(document): useany
type (children and return value) for components ofprovideComponents
(fixes #46) -
#47
071f993
Thanks @nibtime! - fix(document): support new script insertion behavior- handle
getPreloadDynamicChunks
andgetPreloadMainLinks
in<Head>
- hash
beforeInteractiveInlineScripts
in<Head>
- handle scripts also in drop-in component for
<NextScript>
- trustify scripts in
initialProps.head
- handle
-
#47
071f993
Thanks @nibtime! - fix(document): prevent application of nonce in production builds (fixes #49) -
#47
f9ecbe3
Thanks @nibtime! - provide base logical operators for chain matchers (request predicates):matchNot
,matchAnd
,matchOr
-
#47
071f993
Thanks @nibtime! - fix(strictDynamic): exclude Safari from Hash-based Strict CSP- the problem is probably that Safari isn't truly CSP-3 compliant yet, like Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1409200.
strict-dynamic
seems to mess up SRI validation there.
- the problem is probably that Safari isn't truly CSP-3 compliant yet, like Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1409200.
-
#47
071f993
Thanks @nibtime! - fix: considerbasePath
fromnext.config.js
for writing and fetching hashes (fixes #48) -
#47
f9ecbe3
Thanks @nibtime! - fix: betterisPageRequest
matcher- exclude only basepaths
/_next
and/api
- exclude all paths with file endings
- exclude
isPreviewModeRequest
andisNextJsDataRequest
(new matchers)
- exclude only basepaths
-
#47
071f993
Thanks @nibtime! - perf(middleware):telemetry
wrapper to log basic measurements and infos from middleware execution -
#47
f9ecbe3
Thanks @nibtime! - fix(csp): handle boolean directives correctly
@next-safe/[email protected]
Minor Changes
-
#38
be1c950
Thanks @nibtime! - Internal redesign for Next.js 12.2 (req.page
deprecated) (#37) -
#38
be1c950
Thanks @nibtime! - provide new middleware abstractions for Next.js 12.2 stable middlewarematchChain
function that allows to disable chain execution for certain requests with a matcher (predicate onNextRequest
)continued
function that allows to continue a middleware response to a middleware chainisPageRequest
matcher that matches only requests to Next.js pages
Patch Changes
@next-safe/[email protected]
Minor Changes
-
#36
2c8c5cd
Thanks @nibtime! - newcsp
middleware with extensive Typing for IntelliSense CSP configuration- typing has been borrowed from the SvelteKit CSP Integration, which is excellent
- handles annoying single quotes in the background, no need to think about them in code
-
#36
2c8c5cd
Thanks @nibtime! - versatilegetCspInitialProps
for_document.js
- flag to opt into styles trustification for CSP
- flag to opt out from script trustification for CSP
- option to pass external raw css text to hash for CSP. For instance needed for Mantine, to pass
extractCritical(initialProps.html).css
(emotion) - option to enhance
<App>
(_app.js
) with nonce from SSR (needed for React Providers that can consume a nonce)
-
#36
2c8c5cd
Thanks @nibtime! - helper to set up CSP violation reprting to Sentry with a one-liner
Patch Changes
@next-safe/[email protected]
@next-safe/[email protected]
@next-safe/[email protected]
Patch Changes
-
#18
b40cc05
Thanks @nibtime! - use correct call order inrender()
of customDocument
components. That should prevent things from breaking in ISR mode. -
#18
b40cc05
Thanks @nibtime! - fetch script/style hashes for/404
route if a request has no route/page. This makes strict CSP work with a custompages/404.js
.
@next-safe/[email protected]
Minor Changes
-
#15
e7b4193
Thanks @nibtime! - better bundling config + bundling of external utils. Saves around ~100% size for_middleware
- important for edge where limit is 1MB -
#15
e7b4193
Thanks @nibtime! - provide an API handler for easy creation of a report procesing endpoint by Next/Vercel cloud function -
#17
b084027
Thanks @nibtime! - providestrictInlineStyles
middleware. Extenddist/document
to write out hashes of inline styles (Hash-based) or attach nonce to inline styles (Nonce-based). -
#17
b084027
Thanks @nibtime! - addtellsupported
config option (a function) tostrictDynamic
. Allows for strong customization of fallback behavior by parsed user agent.