Vercel Toolbar with strict CSP? (follow-up)

paulvandyk · October 31, 2024, 6:24pm

This is a follow-up of Vercel Toolbar with strict CSP? since the thread has been closed and replies are no longer possible.

I wanted to see if there are any plans to support this? currently we need to do some dirty trickets to get the toolbar to work, for example:

  // allow toolbar for internal team: see https://vercel.community/t/vercel-toolbar-with-strict-csp/471
  const disableVercelToolbar = !rootData?.user?.email?.includes('@acme.com')

  // see: https://web.dev/articles/strict-csp
  const cspHeader = createCspHeader(
    {
      'script-src': `'nonce-${nonce}' 'unsafe-inline' 'unsafe-eval' https: http:`,
      'object-src': "'none'",
      'base-uri': "'none'",
    },
    {
      includeHeaderName: false,
      presets: disableVercelToolbar ? [{ 'script-src': "'strict-dynamic'" }] : [],
    }
  )

  responseHeaders.set('Content-Security-Policy', cspHeader)

It would be great if we could get some support with strict-dynamic + nonce csp headers.

amyegan · October 31, 2024, 9:29pm

As you probably saw in the other post, the docs have some info on using a Content Security Policy. But the toolbar does not currently support strict-dynamic CSP.

Pauline already shared the previous post with the engineering team, and I’ll link this post as well.

amyegan · October 31, 2024, 9:33pm

I moved this topic to the Feedback category and extended the expiration date so others can add join the conversation

Topic		Replies	Views
Vercel Toolbar with strict CSP? Help	3	35	September 7, 2024
Vercel App Cannot Deploy Help	3	27	November 21, 2024
Could not parse File as JSON: vercel.json Help	2	22	October 26, 2024
Vercel Toolbar extensibility Feedback toolbar	7	77	November 6, 2024
V0.dev Content Window Exceeded Feedback v0	3	19	December 18, 2024

Vercel Toolbar with strict CSP? (follow-up)

Related topics