[docs] Always include unsafe-eval in dev Content-Security-Policy#89163
[docs] Always include unsafe-eval in dev Content-Security-Policy#89163
unsafe-eval in dev Content-Security-Policy#89163Conversation
Update CSP documentation examples to check for development mode before adding 'unsafe-eval' to script-src directive: - Proxy examples with nonces now include isDev check - SRI configuration example now includes isDev check - Prevents unsafe-eval from being shipped to production This aligns all examples with the existing 'Without Nonces' and 'Development Environment' sections that already had proper checks. Co-authored-by: sebastian.silbermann <sebastian.silbermann@vercel.com>
|
Cursor Agent can help with this pull request. Just |
unsafe-eval in dev Content-Security-Policy
Add explanation that React uses eval to provide enhanced debugging information, such as reconstructing server-side error stacks in the browser to show where errors originated on the server. Co-authored-by: sebastian.silbermann <sebastian.silbermann@vercel.com>
|
Allow CI Workflow Run
Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer |
|
Approving but I wonder if the Third-party scripts section should also have the isDev check? @cursor |
|
Why should this section not have |
|
Mmm maybe I am misreading something here, but we have https://nextjs.org/docs/app/guides/content-security-policy#third-party-scripts with: const cspHeader = `
default-src 'self';
script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https://www.googletagmanager.com;
connect-src 'self' https://www.google-analytics.com;
img-src 'self' data: https://www.google-analytics.com;
`This should also have the |
|
yes. @cursor please add a dev-only |
…89163) Co-authored-by: Cursor Agent <cursoragent@cursor.com>
evalis critical for React's Server error/console replaying to work.We included
unsafe-evalin the CSP in some examples but not all. Now we includeunsafe-evaleverywhere.Part of https://linear.app/vercel/issue/NAR-754/
Slack Thread