Skip to content

🔒 Harden Content Security Policy (CSP)#89

Merged
amrabed merged 3 commits into
mainfrom
fix/harden-csp-17906426014267264430
Jul 4, 2026
Merged

🔒 Harden Content Security Policy (CSP)#89
amrabed merged 3 commits into
mainfrom
fix/harden-csp-17906426014267264430

Conversation

@google-labs-jules

Copy link
Copy Markdown
Contributor

🎯 What: Hardened the Content Security Policy (CSP) by removing the insecure 'unsafe-eval' directive and synchronizing the policy configuration across the main Next.js application and the Nextra documentation site.

⚠️ Risk: The presence of 'unsafe-eval' significantly increases the risk of Cross-Site Scripting (XSS) attacks by allowing the execution of arbitrary string-based code. While 'unsafe-inline' also presents risks, its removal in this architecture (utilizing Next.js hydration and Nextra's static export) currently causes critical functional regressions in theme management and component rendering.

🛡️ Solution:

  • Harden Headers: Removed 'unsafe-eval' from the Content-Security-Policy header in next.config.ts.
  • Harden Meta Tags: Removed 'unsafe-eval' from the CSP <meta> tag in the documentation layout (docs/app/[[...mdxPath]]/layout.tsx).
  • Policy Synchronization: Updated the documentation site's CSP to include va.vercel-scripts.com and vitals.vercel-insights.com, ensuring parity with the main application's analytics and performance monitoring.
  • Verification: Validated the fix via production builds and E2E tests to ensure no regressions were introduced by the removal of 'eval' support. Investigated nonce-based alternatives for 'unsafe-inline' but determined they are not compatible with the current static documentation export without a significant infrastructure change.

PR created automatically by Jules for task 17906426014267264430 started by @amrabed

@google-labs-jules

Copy link
Copy Markdown
Contributor Author

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@vercel

vercel Bot commented Jul 4, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
typescript Ready Ready Preview, Comment Jul 4, 2026 8:57pm

amrabed
amrabed previously approved these changes Jul 4, 2026
- Removed 'unsafe-eval' from script-src in next.config.ts and docs layout.
- Synchronized connect-src and script-src domains across main app and docs.
- Verified that 'unsafe-inline' remains necessary for framework hydration.
- Removed 'unsafe-eval' from CSP in next.config.ts and docs layout.
- Synchronized allowed domains in CSP for analytics and speed insights.
- Fixed TypeScript errors in docs sitemap tests by updating mocks to support async readdir.
- Rebased on main and verified all tests pass locally.
@sonarqubecloud

sonarqubecloud Bot commented Jul 4, 2026

Copy link
Copy Markdown

@amrabed amrabed marked this pull request as ready for review July 4, 2026 20:57
@amrabed amrabed merged commit 193d073 into main Jul 4, 2026
5 checks passed
@amrabed amrabed deleted the fix/harden-csp-17906426014267264430 branch July 4, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant