Replies: 10 comments 11 replies
-
How do I implement this "per app" for now until it's made part of the framework? My next.config.js: const withPrefresh = require('@prefresh/next')
const SriPlugin = require('webpack-subresource-integrity')
module.exports = withPrefresh({
webpack(config, { dev, isServer }) {
// Preact config that is not relevant
config.output.crossOriginLoading = 'anonymous'
config.plugins.push(new SriPlugin({
hashFuncNames: ['sha256', 'sha384'],
enabled: true,
}))
return config
},
}) |
Beta Was this translation helpful? Give feedback.
-
I'm the principal author of webpack-subresource-integrity, I would also like to see this feature and could maybe help build it. The snippet above is a start, except it should only be executed when Without knowing much about next.js code, it looks like these hashes will have to be extracted from the result of the client build (somewhere around here?) and injected into the HTML pages (here?). How would this data be ferried from one place to the other? I've seen mention of a manifest for this purpose, which should do the trick for the production server. Would that be a good place for it? For static builds the hashes are not needed in a manifest as they will already be baked into the HTML. I've also seen mention of the client-side router injecting One other consideration is that when enabled, the |
Beta Was this translation helpful? Give feedback.
-
does esm modules support SRI even? |
Beta Was this translation helpful? Give feedback.
-
Any plans on supporting SRI at framework level? |
Beta Was this translation helpful? Give feedback.
-
Does anyone know if the the per-app solution is still working with current version of next.js and webpack? I can not see any integrity attributes being applied for this /** @type {import('next').NextConfig} */
const { SubresourceIntegrityPlugin } = require('webpack-subresource-integrity');
const nextConfig = {
reactStrictMode: true,
swcMinify: true,
webpack(config) {
config.output.crossOriginLoading = "anonymous";
config.plugins.push(
new SubresourceIntegrityPlugin({
hashFuncNames: ["sha256", "sha384"],
enabled: true,
})
);
return config;
},
}
module.exports = nextConfig |
Beta Was this translation helpful? Give feedback.
-
There's been some movement on the SRI front in #39729, has anyone worked with the new option yet? |
Beta Was this translation helpful? Give feedback.
-
Hi, Is there any update for pages directory? The plugin |
Beta Was this translation helpful? Give feedback.
-
Hi, it there any update of this FR? |
Beta Was this translation helpful? Give feedback.
-
I see there is a canary update that supports SRI on App Router mode,my question is will support Page Route later or not? |
Beta Was this translation helpful? Give feedback.
-
Hi Is there any update on this? We have several clients running Next for their eCommerce stores and this has now become a requirement of PCI-DSS. So would be good to get and answer and some documentation as to how this can be enabled |
Beta Was this translation helpful? Give feedback.
-
Feature request
Is your feature request related to a problem? Please describe.
Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation.
Describe the solution you'd like
Implement webpack plugin (https://www.npmjs.com/package/webpack-subresource-integrity) as default, or under a flag just for production environment.
Thanks to it every external resource should have generated
integrity
hash and specifiedcrossorigin
policy. Example:Describe alternatives you've considered
There are other alternative plugins as well. We can also develop an in-house solution.
This feature can also be handled "per app", however, in my opinion, things related to the security of resources loading should be handled by the framework.
Beta Was this translation helpful? Give feedback.
All reactions