This repository was archived by the owner on Dec 20, 2025. It is now read-only.
[BUG]: configuration of CSP report directives (report-uri, report-to) is unsound #41
Description
Describe the bug
const nextSafe = require('next-safe');
const isDev = process.env.NODE_ENV !== 'production';
module.exports = {
async headers() {
return [
{
source: '/:path*',
headers: nextSafe({
isDev,
contentSecurityPolicy: {
'frame-ancestors': 'https://stackblitz.com',
// next-safe ensures that both directives have always the same value.
// It prefers report-to over report-uri if both are set.
// this doesn't make sense, for report-uri, a URL is expected.
// For report-to it is a group name of a Reporting API configuration.
// It requires a Report-To header for configuration
// see https://developers.google.com/web/updates/2018/09/reportingapi
'report-uri': 'https://example.com/csp-report-uri',
'report-to': 'default',
},
}),
},
];
},
};Steps To Reproduce
https://stackblitz.com/edit/nextjs-d6qbyi?file=next.config.js
Version
v3.x.x
Relevant log output
base-uri 'none';child-src 'none';connect-src 'self' webpack://*;default-src 'self';font-src 'self';form-action 'self';frame-ancestors https://stackblitz.com;frame-src 'none';img-src 'self';manifest-src 'self';media-src 'self';object-src 'none';prefetch-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';worker-src 'self';report-uri default;report-to default;Code of Conduct
- I agree to follow this project's Code of Conduct