designslife/WebForm-mw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow CSP unsafe-eval in dev only (Next.js HMR); production stays strict

Browse Source
This commit is contained in:
Joel Brock
2026-05-09 21:51:28 -07:00
parent 656bf7fd0a
commit 442740939e
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
next.config.ts
View File

@@ -14,12 +14,18 @@ import type { NextConfig } from "next";
* other origins via the Referer header. * other origins via the Referer header.
* - X-Content-Type-Options: prevents MIME sniffing. * - X-Content-Type-Options: prevents MIME sniffing.
*/ */
// Next.js React dev runtime uses dynamic-script execution for fast-refresh,
// error overlays, and source-map reconstruction. Permit that ONLY in dev so
// HMR works; production CSP stays strict (no dynamic execution allowed).
const isDev = process.env.NODE_ENV !== "production";
const devOnlyDynamicScript = isDev ? " 'unsafe-eval'" : "";
const securityHeaders = [ const securityHeaders = [
{ {
key: "Content-Security-Policy", key: "Content-Security-Policy",
value: [ value: [
"default-src 'self'", "default-src 'self'",
"script-src 'self' 'unsafe-inline'", `script-src 'self' 'unsafe-inline'${devOnlyDynamicScript}`,
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com", "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
"font-src 'self' https://fonts.gstatic.com data:", "font-src 'self' https://fonts.gstatic.com data:",
"img-src 'self' data:", "img-src 'self' data:",