Replies: 3 comments 4 replies
-
|
Hash based CSP is also required for PPR, so I hope this will be implemented soon... |
Beta Was this translation helpful? Give feedback.
-
|
I'd say Next/Vercel is banking on the app router and Next 14 where this issue will probably be moot. Sad... |
Beta Was this translation helpful? Give feedback.
-
|
PPR is supposed to be the future (see https://vercel.com/blog/partial-prerendering-with-next-js-creating-a-new-default-rendering-model), but doesn't support CSP, same as any static pages (both app/pages router). |
Beta Was this translation helpful? Give feedback.
-
|
So does this mean there's going to be two separate CSP/security solutions for every page rendered with PPR? I don't think Next/Vercel is taking these new security protocols very seriously at all. That's not something you can just throw out there are expect the community to deal with it for you. This should be discussed on SO - maybe then they'd pay some attention. https://stackoverflow.com/questions/78320411/using-hashes-for-content-security-policy-in-statically-generated-sites-ssg-in |
Beta Was this translation helpful? Give feedback.
-
|
is there any updates? |
Beta Was this translation helpful? Give feedback.
-
|
Any updates on this? @leerob @delbaoliveira @ijjk |
Beta Was this translation helpful? Give feedback.
-
|
Maybe this PR can be used a first step to support this: |
Beta Was this translation helpful? Give feedback.
-
Summary
Arent' we long overdue for a hash-based solution for SSG that is as well-integrated and documented as the nonce-based solution for SSR, which is documented here: https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy? Is Nextjs trying to phase out SSG or is it just low on the totem pole? I wish I'd known that going in. I'm feeling like SSG has been a big waste of time.
Additional information
No response
Example
No response
Beta Was this translation helpful? Give feedback.
All reactions