Skip to content

Releases: nibtime/next-safe-middleware

@next-safe/[email protected]

02 Aug 20:02
Compare
Choose a tag to compare

Minor Changes

  • #64 02ca36f Thanks @nibtime! - feat: ✨ Hash-based CSP with trusted proxy loader to support Firefox and Safari (fixes #63)

    • Avoids broken SRI validation of Firefox and Safari together with strict-dynamic

    • an important precursor for alternative configuration methods to middleware, that can't dynamically opt-out from strict-dynamic by user agent

  • #64 02ca36f Thanks @nibtime! - rebuild/refactor lib into many small modules with CSP manifest (fixes #40)

  • #64 02ca36f Thanks @nibtime! - feat(csp): new CspBuilder class with fluent interface for safe and easy CSP construction + manipulation

@next-safe/[email protected]

24 Jul 03:26
Compare
Choose a tag to compare

Notes

  • Next 12.2 brought some significant changes to script insertion behavior / ISR that break the lib in certain cases with prior versions

  • All routes with getServerSideProps have to be wrapped with gsspWithNonceAppliedToCsp from now on for Nonce-based CSP to work

  • Only Next >= 12.2 is supported by this lib from now on

Minor Changes

  • #47 071f993 Thanks @nibtime! - provide gsspWithNonceAppliedToCsp and gipWithNonceAppliedToCsp wrappers to inject nonce into pages with getServerSideProps / getInitialProps.

    BREAKING CHANGE: nonce doesn't get applied to CSP automatically anymore. This extra step is neccessary
    as there is no longer a way of reliably do that with Next 12.2.

    BREAKING CHANGE: drop enhanceAppWithNonce, it's no longer needed as nonce is injected though getServerSideProps of routes/pages now. That's actually a good thing, because customizing renderPage is discouranged

  • #47 f9ecbe3 Thanks @nibtime! - 💥 changes to ChainableMiddleware decrease resource utilization (fixes #45)

    • new MiddlewareChainContext interface

    perf: decrease CPU utilization

    • use ctx.cache.get and ctx.cache.set for caching CSP in middleware chain (no serialize/deserialize)
    • write to repsonse only once from chain cache at the end
    • remove unnecessary some double ops

    perf: decrease deployed size

    • use new built-in userAgent from next/server

    BREAKING CHANGE: supports only Stable middleware from now on (needs next >= 12.2, as is specified in peerDeps)

    BREAKING CHANGE: replace ua-parser-js with userAgent from next/server available since 12.2

    BREAKING CHANGE: ChainableMiddleware with (ctx: MiddlewareChainContext) as 3rd parameter.

    BREAKING CHANGE: turn positional params into named params for Configinitializer

Patch Changes

  • #47 f9ecbe3 Thanks @nibtime! - fix(document): use any type (children and return value) for components of provideComponents(fixes #46)

  • #47 071f993 Thanks @nibtime! - fix(document): support new script insertion behavior

    • handle getPreloadDynamicChunks and getPreloadMainLinks in <Head>
    • hash beforeInteractiveInlineScripts in <Head>
    • handle scripts also in drop-in component for <NextScript>
    • trustify scripts in initialProps.head
  • #47 071f993 Thanks @nibtime! - fix(document): prevent application of nonce in production builds (fixes #49)

  • #47 f9ecbe3 Thanks @nibtime! - provide base logical operators for chain matchers (request predicates): matchNot, matchAnd, matchOr

  • #47 071f993 Thanks @nibtime! - fix(strictDynamic): exclude Safari from Hash-based Strict CSP

  • #47 071f993 Thanks @nibtime! - fix: consider basePath from next.config.js for writing and fetching hashes (fixes #48)

  • #47 f9ecbe3 Thanks @nibtime! - fix: better isPageRequest matcher

    • exclude only basepaths /_next and /api
    • exclude all paths with file endings
    • exclude isPreviewModeRequest and isNextJsDataRequest (new matchers)
  • #47 071f993 Thanks @nibtime! - perf(middleware): telemetry wrapper to log basic measurements and infos from middleware execution

  • #47 f9ecbe3 Thanks @nibtime! - fix(csp): handle boolean directives correctly

@next-safe/[email protected]

07 Jul 18:17
Compare
Choose a tag to compare

Minor Changes

  • #38 be1c950 Thanks @nibtime! - Internal redesign for Next.js 12.2 (req.page deprecated) (#37)

  • #38 be1c950 Thanks @nibtime! - provide new middleware abstractions for Next.js 12.2 stable middleware

    • matchChain function that allows to disable chain execution for certain requests with a matcher (predicate on NextRequest)
    • continued function that allows to continue a middleware response to a middleware chain
    • isPageRequest matcher that matches only requests to Next.js pages

Patch Changes

  • #38 be1c950 Thanks @nibtime! - fix: enhanceAppWithNonce as separate function.Must spread nonce into pageProps, else fails with Next 12.2

  • #38 be1c950 Thanks @nibtime! - fix: guard critical section with lockfile when writing out hashes for CSP to file at build time

@next-safe/[email protected]

06 Jul 02:22
f5e9ce8
Compare
Choose a tag to compare

Minor Changes

  • #36 2c8c5cd Thanks @nibtime! - new csp middleware with extensive Typing for IntelliSense CSP configuration

    • typing has been borrowed from the SvelteKit CSP Integration, which is excellent
    • handles annoying single quotes in the background, no need to think about them in code
  • #36 2c8c5cd Thanks @nibtime! - versatile getCspInitialProps for _document.js

    • flag to opt into styles trustification for CSP
    • flag to opt out from script trustification for CSP
    • option to pass external raw css text to hash for CSP. For instance needed for Mantine, to pass extractCritical(initialProps.html).css (emotion)
    • option to enhance <App> (_app.js) with nonce from SSR (needed for React Providers that can consume a nonce)
  • #36 2c8c5cd Thanks @nibtime! - helper to set up CSP violation reprting to Sentry with a one-liner

Patch Changes

@next-safe/[email protected]

05 Apr 02:23
Compare
Choose a tag to compare

Minor Changes

  • #24 af9b7ad Thanks @nibtime! - support exhaustive inline style hashing and noncing in document and strictInlineStyles middleware

Patch Changes

@next-safe/[email protected]

09 Mar 00:03
Compare
Choose a tag to compare

Patch Changes

  • #20 0e5fe59 Thanks @nibtime! - add hash of empty string to style hashes. CSS-in-js frameworks like stitches seem to need it to not break during hydration

@next-safe/[email protected]

07 Mar 23:59
Compare
Choose a tag to compare

Patch Changes

  • #18 b40cc05 Thanks @nibtime! - use correct call order in render() of custom Document components. That should prevent things from breaking in ISR mode.

  • #18 b40cc05 Thanks @nibtime! - fetch script/style hashes for /404 route if a request has no route/page. This makes strict CSP work with a custom pages/404.js.

@next-safe/[email protected]

06 Mar 02:37
Compare
Choose a tag to compare

Minor Changes

  • #15 e7b4193 Thanks @nibtime! - better bundling config + bundling of external utils. Saves around ~100% size for _middleware - important for edge where limit is 1MB

  • #15 e7b4193 Thanks @nibtime! - provide an API handler for easy creation of a report procesing endpoint by Next/Vercel cloud function

  • #17 b084027 Thanks @nibtime! - provide strictInlineStyles middleware. Extend dist/document to write out hashes of inline styles (Hash-based) or attach nonce to inline styles (Nonce-based).

  • #17 b084027 Thanks @nibtime! - add tellsupported config option (a function) to strictDynamic. Allows for strong customization of fallback behavior by parsed user agent.

@next-safe/[email protected]

01 Mar 19:10
Compare
Choose a tag to compare

Minor Changes

  • #13 67469d7 Thanks @nibtime! - provide a uniform middleware builder and configuration interface

  • 6b8bbc1 Thanks @nibtime! - add configuration options to strictDynamic (allowUnsafeEval, reportOnly)

@next-safe/[email protected]

28 Feb 14:40
Compare
Choose a tag to compare

Patch Changes

  • #11 7f44414 Thanks @nibtime! - add a undefined guard to browser support check of strictDynamic. This led to undesired behavior when user agent is empty/unknown.