v1.0.0:2 — revert CSP nonces; restore inline-friendly CSP
v1.0.0:1 shipped a per-request nonce-based CSP via Next.js middleware. In production it produced a blank first paint: Next 14.2.x's bootstrap inline scripts weren't picking up the nonce reliably from the x-nonce request header, so the browser blocked them. This release reverts to the pre-experiment posture: - middleware.ts back to auth gating only (no nonce, no CSP). - next.config.js restores the static CSP with `'unsafe-inline'` allowed for script-src and style-src. Same headers (HSTS, Referrer-Policy, Permissions-Policy, frame-ancestors 'none', etc.) all stay. - New startos/versions/v1.0.0.2.ts with empty up/down migrations and a release note explaining the bug + revert. Promoted to `current` in the version graph; v1.0.0:1 moves to `other` so existing installs upgrade in place. No schema changes, no data migration. Existing v1.0.0:1 installs keep their /data. Re-attempt path documented in middleware.ts and next.config.js comments: future PR can revisit nonce CSP using Next's documented pattern verbatim (notably setting CSP on BOTH request headers and response headers — we only set it on response).
This commit is contained in:
Keysat
@@ -1,18 +1,21 @@
|
||||
import { VersionGraph } from '@start9labs/start-sdk'
|
||||
import { v_1_0_0_1 } from './v1.0.0.1'
|
||||
import { v_1_0_0_2 } from './v1.0.0.2'
|
||||
|
||||
/**
|
||||
* Version graph for the `proof-of-work` package.
|
||||
*
|
||||
* v1.0.0:1 — initial release, seeded cutover from the legacy `workout-log`
|
||||
* package. No prior version to upgrade from.
|
||||
* v1.0.0:1 — initial release, seeded cutover from the legacy
|
||||
* `workout-log` package.
|
||||
* v1.0.0:2 — CSP fix (reverts the over-strict nonce-based CSP that
|
||||
* broke first paint in v1.0.0:1).
|
||||
*
|
||||
* StartOS picks `current` as the install target; `other` lists every node
|
||||
* that can upgrade into `current`. Fresh sideloads land directly on
|
||||
* `current`. Once we ship the post-cutover cleanup release, it goes here as
|
||||
* the new `current` and v1.0.0:1 moves into `other`.
|
||||
* StartOS picks `current` as the install target; `other` lists every
|
||||
* node that can upgrade into `current`. Hosts on v1.0.0:1 upgrade to
|
||||
* v1.0.0:2 via the no-op up migration; fresh installs land directly
|
||||
* on v1.0.0:2.
|
||||
*/
|
||||
export const versionGraph = VersionGraph.of({
|
||||
current: v_1_0_0_1,
|
||||
other: [],
|
||||
current: v_1_0_0_2,
|
||||
other: [v_1_0_0_1],
|
||||
})
|
||||
|
||||
@@ -0,0 +1,30 @@
|
||||
import { IMPOSSIBLE, VersionInfo } from '@start9labs/start-sdk'
|
||||
|
||||
/**
|
||||
* v1.0.0:2 — CSP nonce revert.
|
||||
*
|
||||
* v1.0.0:1 shipped a per-request nonce-based Content-Security-Policy
|
||||
* via Next.js middleware. In production, the bootstrap inline scripts
|
||||
* weren't picking up the nonce reliably (Next 14.2.x), so the browser
|
||||
* blocked them and the app showed a blank first paint.
|
||||
*
|
||||
* This release reverts to a static CSP with `'unsafe-inline'` allowed
|
||||
* for script-src and style-src — the same posture that worked through
|
||||
* the v1.0.0:1 cutover smoke build. All other security headers (HSTS,
|
||||
* Referrer-Policy, Permissions-Policy, etc.) and every other v1.0.0:1
|
||||
* change are unchanged.
|
||||
*
|
||||
* No schema changes, no data migration. /data on existing v1.0.0:1
|
||||
* installs is left exactly as-is.
|
||||
*/
|
||||
export const v_1_0_0_2 = VersionInfo.of({
|
||||
version: '1.0.0:2',
|
||||
releaseNotes: {
|
||||
en_US:
|
||||
'Bug fix: blank first paint on v1.0.0:1 caused by an over-strict Content-Security-Policy. Reverts CSP to the same posture that worked through the cutover smoke build. No data migration; /data is untouched.',
|
||||
},
|
||||
migrations: {
|
||||
up: async () => {},
|
||||
down: IMPOSSIBLE,
|
||||
},
|
||||
})
|
||||
Reference in New Issue
Block a user