grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.0.0:2 — revert CSP nonces; restore inline-friendly CSP

Browse Source 
v1.0.0:1 shipped a per-request nonce-based CSP via Next.js middleware.
In production it produced a blank first paint: Next 14.2.x's bootstrap
inline scripts weren't picking up the nonce reliably from the x-nonce
request header, so the browser blocked them.

This release reverts to the pre-experiment posture:
- middleware.ts back to auth gating only (no nonce, no CSP).
- next.config.js restores the static CSP with `'unsafe-inline'` allowed
  for script-src and style-src. Same headers (HSTS, Referrer-Policy,
  Permissions-Policy, frame-ancestors 'none', etc.) all stay.
- New startos/versions/v1.0.0.2.ts with empty up/down migrations and
  a release note explaining the bug + revert. Promoted to `current`
  in the version graph; v1.0.0:1 moves to `other` so existing
  installs upgrade in place.

No schema changes, no data migration. Existing v1.0.0:1 installs
keep their /data.

Re-attempt path documented in middleware.ts and next.config.js
comments: future PR can revisit nonce CSP using Next's documented
pattern verbatim (notably setting CSP on BOTH request headers and
response headers — we only set it on response).
This commit is contained in:
Keysat
2026-05-09 12:05:11 -05:00
parent 990f5582b8
commit edeb1eb148
4 changed files with 98 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files
start9/0.4/startos/versions/v1.0.0.2.ts
+30
View File
@@ -0,0 +1,30 @@
import { IMPOSSIBLE, VersionInfo } from '@start9labs/start-sdk'
/**
* v1.0.0:2 — CSP nonce revert.
*
* v1.0.0:1 shipped a per-request nonce-based Content-Security-Policy
* via Next.js middleware. In production, the bootstrap inline scripts
* weren't picking up the nonce reliably (Next 14.2.x), so the browser
* blocked them and the app showed a blank first paint.
*
* This release reverts to a static CSP with `'unsafe-inline'` allowed
* for script-src and style-src — the same posture that worked through
* the v1.0.0:1 cutover smoke build. All other security headers (HSTS,
* Referrer-Policy, Permissions-Policy, etc.) and every other v1.0.0:1
* change are unchanged.
*
* No schema changes, no data migration. /data on existing v1.0.0:1
* installs is left exactly as-is.
*/
export const v_1_0_0_2 = VersionInfo.of({
version: '1.0.0:2',
releaseNotes: {
en_US:
'Bug fix: blank first paint on v1.0.0:1 caused by an over-strict Content-Security-Policy. Reverts CSP to the same posture that worked through the cutover smoke build. No data migration; /data is untouched.',
},
migrations: {
up: async () => {},
down: IMPOSSIBLE,
},
})