TLDR:我在使用 Material-UI(服务器端渲染)为 NextJS 设置 CSP 并由 Nginx(使用反向代理)提供服务时遇到问题。
目前我在加载 Material-UI 样式表和加载我自己的样式时遇到问题
使用makeStyles来自@material-ui/core/styles
笔记:
- 按照https://material-ui.com/styles/advanced/#next-js开启 SSR
- https://github.com/mui-org/material-ui/tree/master/examples/nextjs
- 我查看了https://material-ui.com/styles/advanced/#how-does-one-implement-csp但我不确定如何让 nginx 遵循这些nonce值,因为 nonce 生成为不可预测的字符串.
default.conf (nginx)
# https://www.acunetix.com/blog/web-security-zone/hardening-nginx/upstream nextjs_upstream { server localhost:3000; # We could add additional servers here for load-balancing}server { listen $PORT default_server; # redirect http to https. use only in production # if ($http_x_forwarded_proto != 'https') { # rewrite ^(.*) https://$host$request_uri redirect; # } server_name _; server_tokens off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; # hide how is app powered. In this case hide NextJS is running behind the scenes. proxy_hide_header X-Powered-By; # set client request body buffer size to 1k. Usually 8k client_body_buffer_size 1k; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k; # ONLY respond to requests from HTTPS add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; # to prevent click-jacking add_header X-Frame-Options "DENY"; # don't load scripts or CSS if their MIME type as indicated by the server is incorrect add_header X-Content-Type-Options nosniff; add_header 'Referrer-Policy' 'no-referrer'; # Content Security Policy (CSP) and X-XSS-Protection (XSS) add_header Content-Security-Policy "default-src 'none'; script-src 'self'; object-src 'none'; style-src 'self' https://fonts.googleapis.com/css?family=Roboto:300,400,500,700 form-action 'none'; frame-ancestors 'none'; base-uri 'none';" always; add_header X-XSS-Protection "1; mode=block"; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; location / { # limit request types to HTTP GET # ignore everything else limit_except GET { deny all; } proxy_pass http://nextjs_upstream; }}
回答
我找到的解决方案是在 _document.tsx 中向内联 js 和 css 添加 nonce 值
_document.tsx
使用 uuid v4 生成随机数,并使用 crypto nodejs 模块将其转换为 base64。然后创建内容安全策略并添加生成的 nonce 值。创建一个函数来完成创建随机数并生成 CSP 并与随机数一起返回 CSP 字符串
在 HTML Head 中添加生成的 CSP 并添加元标记。
import React from 'react';import Document, { Html, Head, Main, NextScript } from 'next/document';import { ServerStyleSheets } from '@material-ui/core/styles';import crypto from 'crypto';import { v4 } from 'uuid';// import theme from '@utils/theme';/** * Generate Content Security Policy for the app. * Uses randomly generated nonce (base64) * * @returns [csp: string, nonce: string] - CSP string in first array element, nonce in the second array element. */const generateCsp = (): [csp: string, nonce: string] => { const production = process.env.NODE_ENV === 'production'; // generate random nonce converted to base64. Must be different on every HTTP page load const hash = crypto.createHash('sha256'); hash.update(v4()); const nOnce= hash.digest('base64'); let csp = ``; csp += `default-src 'none';`; csp += `base-uri 'self';`; csp += `style-src https://fonts.googleapis.com 'unsafe-inline';`; // NextJS requires 'unsafe-inline' csp += `script-src 'nonce-${nonce}' 'self' ${production ? '' : "'unsafe-eval'"};`; // NextJS requires 'self' and 'unsafe-eval' in dev (faster source maps) csp += `font-src https://fonts.gstatic.com;`; if (!production) csp += `connect-src 'self';`; return [csp, nonce];};export default class MyDocument extends Document { render(): JSX.Element { const [csp, nonce] = generateCsp(); return ( {/* PWA primary color */} {/* */} rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto:300,400,500,700 }}// `getInitialProps` belongs to `_document` (instead of `_app`),// it's compatible with server-side generation (SSG).MyDocument.getInitialProps = async (ctx) => { const sheets = new ServerStyleSheets(); const originalRenderPage = ctx.renderPage; ctx.renderPage = () => originalRenderPage({ enhanceApp: (App) => (props) => sheets.collect(), }); const initialProps = await Document.getInitialProps(ctx); return { ...initialProps, // Styles fragment is rendered after the app and page rendering finish. styles: [...React.Children.toArray(initialProps.styles), sheets.getStyleElement()], };};
来源:https : //github.com/vercel/next.js/blob/master/examples/with-strict-csp/pages/_document.js
nginx 配置
确保删除有关内容安全策略的添加标头。它可能会覆盖 _document.jsx 文件中的 CSP。
替代解决方案
创建自定义服务器并注入可在 _document.tsx 中访问的随机数和内容安全策略
- https://bitgate.cz/content-security-policy-inline-scripts-and-next-js/
- https://nextjs.org/docs/advanced-features/custom-server
- https://medium.com/weekly-webtips/next-js-on-the-server-side-notes-to-self-e2170dc331ff