🔒 Harden Content Security Policy (CSP)#89
Conversation
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
- Removed 'unsafe-eval' from script-src in next.config.ts and docs layout. - Synchronized connect-src and script-src domains across main app and docs. - Verified that 'unsafe-inline' remains necessary for framework hydration.
- Removed 'unsafe-eval' from CSP in next.config.ts and docs layout. - Synchronized allowed domains in CSP for analytics and speed insights. - Fixed TypeScript errors in docs sitemap tests by updating mocks to support async readdir. - Rebased on main and verified all tests pass locally.
bd3f19c to
2f8ae4a
Compare
|



🎯 What: Hardened the Content Security Policy (CSP) by removing the insecure
'unsafe-eval'directive and synchronizing the policy configuration across the main Next.js application and the Nextra documentation site.'unsafe-eval'significantly increases the risk of Cross-Site Scripting (XSS) attacks by allowing the execution of arbitrary string-based code. While'unsafe-inline'also presents risks, its removal in this architecture (utilizing Next.js hydration and Nextra's static export) currently causes critical functional regressions in theme management and component rendering.🛡️ Solution:
'unsafe-eval'from theContent-Security-Policyheader innext.config.ts.'unsafe-eval'from the CSP<meta>tag in the documentation layout (docs/app/[[...mdxPath]]/layout.tsx).va.vercel-scripts.comandvitals.vercel-insights.com, ensuring parity with the main application's analytics and performance monitoring.'eval'support. Investigated nonce-based alternatives for'unsafe-inline'but determined they are not compatible with the current static documentation export without a significant infrastructure change.PR created automatically by Jules for task 17906426014267264430 started by @amrabed