8c5add23a8
## What Ensures `nonce` is added to script and link tags Next.js renders. Additional cases it now handles: - We already passed `nonce` to the React rendering, though not consistently on all cases where `renderToStream` is called, I'm surprised there haven't been more reports of this, but now it will pass it on all cases where React rendering is called that I could find - In `get-layer-assets.tsx` we now pass `nonce` to both the `script` and `link` tags - When calling `ReactDOM.preload` the nonce was missing as well, ensured that the nonce is included in that case as well. Added a test that mimicks the reproduction by adding `next/font` in this case. Fixes #64037 Closes PACK-2973 <!-- Thanks for opening a PR! Your contribution is much appreciated. To make sure your PR is handled as smoothly as possible we request that you follow the checklist sections below. Choose the right checklist for the change(s) that you're making: ## For Contributors ### Improving Documentation - Run `pnpm prettier-fix` to fix formatting issues before opening the PR. - Read the Docs Contribution Guide to ensure your contribution follows the docs guidelines: https://nextjs.org/docs/community/contribution-guide ### Adding or Updating Examples - The "examples guidelines" are followed from our contributing doc https://github.com/vercel/next.js/blob/canary/contributing/examples/adding-examples.md - Make sure the linting passes by running `pnpm build && pnpm lint`. See https://github.com/vercel/next.js/blob/canary/contributing/repository/linting.md ### Fixing a bug - Related issues linked using `fixes #number` - Tests added. See: https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ### Adding a feature - Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. (A discussion must be opened, see https://github.com/vercel/next.js/discussions/new?category=ideas) - Related issues/discussions are linked using `fixes #number` - e2e tests added (https://github.com/vercel/next.js/blob/canary/contributing/core/testing.md#writing-tests-for-nextjs) - Documentation added - Telemetry added. In case of a feature if it's used or not. - Errors have a helpful link attached, see https://github.com/vercel/next.js/blob/canary/contributing.md ## For Maintainers - Minimal description (aim for explaining to someone not on the team to understand the PR) - When linking to a Slack thread, you might want to share details of the conclusion - Link both the Linear (Fixes NEXT-xxx) and the GitHub issues - Add review comments if necessary to explain to the reviewer the logic behind a change ### What? ### Why? ### How? Closes NEXT- Fixes # -->
91 lines
2.6 KiB
JavaScript
91 lines
2.6 KiB
JavaScript
// @ts-check
|
|
import { NextResponse } from 'next/server'
|
|
|
|
/**
|
|
* @param {import('next/server').NextRequest} request
|
|
* @returns {Promise<NextResponse | undefined>}
|
|
*/
|
|
export async function middleware(request) {
|
|
if (request.nextUrl.pathname === '/searchparams-normalization-bug') {
|
|
const headers = new Headers(request.headers)
|
|
headers.set('test', request.nextUrl.searchParams.get('val') || '')
|
|
const response = NextResponse.next({
|
|
request: {
|
|
headers,
|
|
},
|
|
})
|
|
|
|
return response
|
|
}
|
|
if (request.nextUrl.pathname === '/exists-but-not-routed') {
|
|
return NextResponse.rewrite(new URL('/dashboard', request.url))
|
|
}
|
|
|
|
if (request.nextUrl.pathname === '/middleware-to-dashboard') {
|
|
return NextResponse.rewrite(new URL('/dashboard', request.url))
|
|
}
|
|
|
|
// In dev this route will fail to bootstrap because webpack uses eval which is dissallowed by
|
|
// this policy. In production this route will work
|
|
if (request.nextUrl.pathname === '/bootstrap/with-nonce') {
|
|
const nonce = crypto.randomUUID()
|
|
return NextResponse.next({
|
|
headers: {
|
|
'Content-Security-Policy': `script-src 'nonce-${nonce}' 'strict-dynamic';`,
|
|
},
|
|
})
|
|
}
|
|
|
|
if (request.nextUrl.pathname.startsWith('/internal/test')) {
|
|
const method = request.nextUrl.pathname.endsWith('rewrite')
|
|
? 'rewrite'
|
|
: 'redirect'
|
|
|
|
const internal = ['RSC', 'Next-Router-State-Tree']
|
|
if (internal.some((name) => request.headers.has(name.toLowerCase()))) {
|
|
return NextResponse[method](new URL('/internal/failure', request.url))
|
|
}
|
|
|
|
return NextResponse[method](new URL('/internal/success', request.url))
|
|
}
|
|
|
|
if (request.nextUrl.pathname === '/search-params-prop-middleware-rewrite') {
|
|
return NextResponse.rewrite(
|
|
new URL(
|
|
'/search-params-prop?first=value&second=other%20value&third',
|
|
request.url
|
|
)
|
|
)
|
|
}
|
|
|
|
if (
|
|
request.nextUrl.pathname === '/search-params-prop-server-middleware-rewrite'
|
|
) {
|
|
return NextResponse.rewrite(
|
|
new URL(
|
|
'/search-params-prop/server?first=value&second=other%20value&third',
|
|
request.url
|
|
)
|
|
)
|
|
}
|
|
|
|
if (request.nextUrl.pathname === '/script-nonce') {
|
|
const nonce = crypto.randomUUID()
|
|
|
|
return NextResponse.next({
|
|
headers: {
|
|
'content-security-policy': `script-src 'nonce-${nonce}' 'strict-dynamic';`,
|
|
},
|
|
})
|
|
}
|
|
|
|
if (request.nextUrl.pathname === '/script-nonce/with-next-font') {
|
|
const nonce = crypto.randomUUID()
|
|
|
|
return NextResponse.next({
|
|
headers: {
|
|
'content-security-policy': `script-src 'nonce-${nonce}' 'strict-dynamic';`,
|
|
},
|
|
})
|
|
}
|
|
}
|