next-safe-middleware icon indicating copy to clipboard operation
next-safe-middleware copied to clipboard

Published 20 hours ago verified publisher icon nibtime

Pass in arbitrary script hashes?

Open fymmot opened this issue 2 years ago • 0 comments

Hi! I am using next-themes for darkmode functionality on my site, which is inserting a script block into the <body>.

This block isn't trustified by next-safe-middleware and causing a CSP error. I was wondering if it is possible to hash it manually and pass the hash to the CSP policy somehow?

I tried creating a script-src directive and adding the hash, but the policy appears to be overwritten when the site is deployed:

'script-src': [
        'self',
        'sha256-eMuh8xiwcX72rRYNAGENurQBAcH7kLlAUQcoOri3BIo=',
      ],

Is there a way to achieve this? (Apologies in advance if I have missed something obvious)

fymmot avatar Nov 10 '22 08:11 fymmot