Closed
Description
Edit: This issue is very old and has now been replaced with #23993.
I don't see a way using next.js with a sensible CSP employed, foremost because it's eval'ing the component code (unsafe-eval
is highly discouraged w.r.t. XSS). In addition, the injected scripts page component scripts should get a computed hash, and an SRI hash should be added for the CDN/next.js script.
Excuse my ignorance about, but wouldn't it be better to use plain old script tag loading for the component module, props etc.?
Metadata
Metadata
Assignees
Labels
No labels