Notes
-
Next 12.2 brought some significant changes to script insertion behavior / ISR that break the lib in certain cases with prior versions
-
All routes with
getServerSideProps
have to be wrapped withgsspWithNonceAppliedToCsp
from now on for Nonce-based CSP to work -
Only Next >= 12.2 is supported by this lib from now on
Minor Changes
-
#47
071f993
Thanks @nibtime! - providegsspWithNonceAppliedToCsp
andgipWithNonceAppliedToCsp
wrappers to inject nonce into pages withgetServerSideProps
/getInitialProps
.BREAKING CHANGE: nonce doesn't get applied to CSP automatically anymore. This extra step is neccessary
as there is no longer a way of reliably do that with Next 12.2.BREAKING CHANGE: drop
enhanceAppWithNonce
, it's no longer needed as nonce is injected thoughgetServerSideProps
of routes/pages now. That's actually a good thing, because customizingrenderPage
is discouranged -
#47
f9ecbe3
Thanks @nibtime! - 💥 changes toChainableMiddleware
decrease resource utilization (fixes #45)- new
MiddlewareChainContext
interface
perf: decrease CPU utilization
- use
ctx.cache.get
andctx.cache.set
for caching CSP in middleware chain (no serialize/deserialize) - write to repsonse only once from chain cache at the end
- remove unnecessary some double ops
perf: decrease deployed size
- use new built-in
userAgent
fromnext/server
BREAKING CHANGE: supports only Stable middleware from now on (needs
next >= 12.2
, as is specified in peerDeps)BREAKING CHANGE: replace
ua-parser-js
withuserAgent
fromnext/server
available since12.2
BREAKING CHANGE:
ChainableMiddleware
with(ctx: MiddlewareChainContext)
as 3rd parameter.BREAKING CHANGE: turn positional params into named params for
Configinitializer
- new
Patch Changes
-
#47
f9ecbe3
Thanks @nibtime! - fix(document): useany
type (children and return value) for components ofprovideComponents
(fixes #46) -
#47
071f993
Thanks @nibtime! - fix(document): support new script insertion behavior- handle
getPreloadDynamicChunks
andgetPreloadMainLinks
in<Head>
- hash
beforeInteractiveInlineScripts
in<Head>
- handle scripts also in drop-in component for
<NextScript>
- trustify scripts in
initialProps.head
- handle
-
#47
071f993
Thanks @nibtime! - fix(document): prevent application of nonce in production builds (fixes #49) -
#47
f9ecbe3
Thanks @nibtime! - provide base logical operators for chain matchers (request predicates):matchNot
,matchAnd
,matchOr
-
#47
071f993
Thanks @nibtime! - fix(strictDynamic): exclude Safari from Hash-based Strict CSP- the problem is probably that Safari isn't truly CSP-3 compliant yet, like Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1409200.
strict-dynamic
seems to mess up SRI validation there.
- the problem is probably that Safari isn't truly CSP-3 compliant yet, like Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1409200.
-
#47
071f993
Thanks @nibtime! - fix: considerbasePath
fromnext.config.js
for writing and fetching hashes (fixes #48) -
#47
f9ecbe3
Thanks @nibtime! - fix: betterisPageRequest
matcher- exclude only basepaths
/_next
and/api
- exclude all paths with file endings
- exclude
isPreviewModeRequest
andisNextJsDataRequest
(new matchers)
- exclude only basepaths
-
#47
071f993
Thanks @nibtime! - perf(middleware):telemetry
wrapper to log basic measurements and infos from middleware execution -
#47
f9ecbe3
Thanks @nibtime! - fix(csp): handle boolean directives correctly