mirror of
https://github.com/terribleplan/next.js.git
synced 2024-01-19 02:48:18 +00:00
7e12997af6
I wrote a [script](https://github.com/j0lv3r4/dependency-version-updater) to update dependencies recursively in `package.json` files, e.g.: ``` $ node index.js --path="./examples" --dependencies="react=^16.7.0,react-dom=^16.7.0" ``` This PR contains the result against the examples folder. |
||
|---|---|---|
| .. | ||
| pages | ||
| package.json | ||
| README.md | ||
Example app with strict CSP generating script hash
How to use
Using create-next-app
Execute create-next-app with Yarn or npx to bootstrap the example:
npx create-next-app --example with-strict-csp-hash with-strict-csp-hash-app
# or
yarn create next-app --example with-strict-csp-hash with-strict-csp-hash-app
Download manually
Download the example:
curl https://codeload.github.com/zeit/next.js/tar.gz/canary | tar -xz --strip=2 next.js-canary/examples/with-strict-csp-hash
cd with-strict-csp-hash
Install it and run:
npm install
npm run dev
# or
yarn
yarn dev
Deploy it to the cloud with now (download)
now
The idea behind the example
This example features how you can set up a strict CSP for your pages whitelisting next's inline bootstrap script by hash.
In contrast to the example with-strict-csp based on nonces, this way doesn't require running a server to generate fresh nonce values on every document request.
It defines the CSP by document meta tag.
Note: There are still valid cases for using a nonce in case you need to inline scripts or styles for which calculating a hash is not feasible.