[英]Running nextjs development mode with CSP and "style-src" with nonce
I'm not able to get nextjs development mode running with "style-src" CSP active.我无法在“style-src”CSP 处于活动状态的情况下运行 nextjs 开发模式。 Currently i have only 2 errors left, but these impact my development flow:
目前我只剩下 2 个错误,但这些会影响我的开发流程:
I think this 2 errors would be the styling for error display in development mode and the refresh spinner.我认为这 2 个错误将是开发模式和刷新微调器中错误显示的样式。
is there a way to fix this (adding nonce or something).有没有办法解决这个问题(添加随机数或其他东西)。 I want to have the same CSP for development as for production to not produce CSP errors after build.
我希望使用与生产相同的 CSP 进行开发,以免在构建后产生 CSP 错误。 (ie. using inline style somewhere).
(即在某处使用内联样式)。 If i have to use "unsafe-inline" for development i will not be notified until changes are build and deployed.
如果我必须使用“不安全内联”进行开发,在构建和部署更改之前我不会收到通知。
Using __webpack_nonce__
also doesn't help.使用
__webpack_nonce__
也无济于事。
Seams like the scripts try to inject a <script>
element to the dom, but don't respect __webpack_nonce__
.像脚本这样的接缝试图将
<script>
元素注入 dom,但不尊重__webpack_nonce__
。 is there a way to force inject it to each element?有没有办法强制将它注入每个元素?
With just the error messages to work with I assume that the code is either inserting a style tag or a style attribute.仅使用错误消息,我假设代码是插入样式标签或样式属性。 Attributes are not nonceable and also will not work with hashes in many (or all) browser implementations.
属性不是 nonceable,也不会在许多(或所有)浏览器实现中与哈希一起使用。 If it is a style tag it is likely that the module setting it doesn't support nonces.
如果它是样式标签,则它的模块设置很可能不支持随机数。 Try inserting the hash provided in the error message.
尝试插入错误消息中提供的 hash。 If there are variations to the style you may have add multiple hashes.
如果样式有变化,您可能会添加多个散列。 If you need to keep adding hashes for a long time, the hash route is not for you.
如果您需要长时间添加哈希值,则 hash 路由不适合您。 If these hashes aren't needed in production they still do no harm, except require a tiny bit of bandwidth.
如果生产中不需要这些散列,它们仍然没有害处,只是需要一点点带宽。
If you need to resort to 'unsafe-inline' in general, this isn't very bad for style-src if you restrict other parts of your CSP, according to https://scotthelme.co.uk/can-you-get-pwned-with-css/ .根据https://scothelme.co.uk/can-you-get ,如果您一般需要求助于“不安全内联”,如果您限制 CSP 的其他部分,这对 style-src 来说并不是很糟糕-pwned-with-css/ 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.