8000 @strict-csp/builder package + middleware fixes for Vercel by nibtime · Pull Request #69 · nibtime/next-safe-middleware · GitHub
[go: up one dir, main page]
Skip to content

@strict-csp/builder package + middleware fixes for Vercel #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Aug 5, 2022
Merged

@strict-csp/builder package + middleware fixes for Vercel #69

merged 13 commits into from
Aug 5, 2022

Conversation

nibtime
Copy link
Owner
@nibtime nibtime commented Aug 5, 2022

first step of #66

  • CSP typings are maintained within @strict-csp/builder package
  • some hotfixes for bad middleware-related bugs that can break CSP (on Vercel only)

nibtime added 11 commits August 5, 2022 00:01
@nibtime
feat(csp): create @strict-csp/builder package
946a684 
for all aspects like create, manipulate, merge, ... + typings
independent of any framework
@nibtime
refactor: use @strict-csp/builder package
75bc714 
test: run with --passWithNoTests

existing unit tests moved to builder package
@nibtime
docs: fix downloads badge
e97b20a
@nibtime
fix(types): add ws and wss to SchemeSource
2fdba65
@nibtime
fix(middleware): connect-src for next dev
fb8024f 
include ws: and wss: scheme soruces for for Webpack HMR
@nibtime
fix(document): filter out falsy attribute values for inline loaders
4a4968d 
to avoid excess script hashes when preemptively register loaders for ISR
(due to different async/defer true/false combinations)

Can be safely reduced by filtering out falsy attribute values before,
as just not setting the attribute means false

refactor:  move code to remove circular dependency

fix(rollup): get rid of rollup warnings

fix(rollup): list all external modules explicitly for each bundle
@nibtime
fix(middleware): include Safari 15.4 in supportsStrictDynamic
33b5cdf
@nibtime
fix(middleware): do some stuff to avoid weird bugs on Vercel
7fecb74 
fix: avoid Promise.all.
- await manifest, cspbuilder and config and run finalize sequentially

fix: avoid module-level cache variable for global cache

- cache within memoize function scope
- on Vercel, sometimes a manifest of a different deployment got inserted!
@nibtime
👥 Add @aheimlich as a contributor
b41447e
@nibtime
update next to ^12.2.4 (and 2 others)
225a2cd 
Commit generated via `yarn stage`
@nibtime
build: require next >=12.2.4 as peer dep
ef714de 
has important routing bug fixes related to middleware, see #34 (comment)
@changeset-bot
Copy link
changeset-bot bot commented Aug 5, 2022
edited
Loading

🦋 Changeset detected

Latest commit: 8283af8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
@strict-csp/builder Minor
@next-safe/middleware Patch
docs Patch
e2e Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link
vercel bot commented Aug 5, 2022
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated
docs-next-safe-middleware ✅ Ready (Inspect) Visit Preview Aug 5, 2022 at 1:43PM (UTC)
e2e-next-safe-middleware ✅ Ready (Inspect) Visit Preview Aug 5, 2022 at 1:43PM (UTC)

@nibtime nibtime changed the title @strict-csp/builder package + fixes @strict-csp/builder package + middleware fixes for Vercel Aug 5, 2022
nibtime added 2 commits August 5, 2022 13:33
@nibtime
fix(document): apply inline styles to ctx only with nonce
d0dd411 
...and non-empty CSP. This led to a bug with on-demand ISR on Vercel,
where the styles overwrote the actual CSP from middleware with some styles
only.

refactor(document): remove unused file modules
@nibtime
chore(changesets): add
8283af8
@nibtime
Copy link
Owner Author
nibtime commented Aug 5, 2022
edited
Loading

Manually tested the e2e app with a real iPad Pro device on Safari >=15.4 with strict-dynamic:

53db2380-d51f-4c64-993d-41255b5c5d22.mp1659709812286.mp4

Notes:

  • Safari only serves the report-uri directive and I can confirm that violation reports are received at /api/reporting. That's why it is important to always serve both reporting directives, even though report-uri is flagged deprecated.

  • Safari doesn't execute web worker inline test script with partytown

@nibtime nibtime merged commit c407570 into main Aug 5, 2022
@github-actions github-actions bot mentioned this pull request Aug 5, 2022
Open
@nibtime nibtime mentioned this pull request Aug 5, 2022
Closed
This was referenced May 26, 2023
Merged
Closed
Closed
Closed
Closed
This was referenced May 29, 2023
Closed
Closed
Closed
Closed
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nibtime
0