You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ready - started server on 0.0.0.0:3000, url: http://localhost:3000
TypeError [ERR_INVALID_URL]: Invalid URL
at new NodeError (node:internal/errors:363:5)
at onParseError (node:internal/url:536:9)
at new URL (node:internal/url:612:5)
at encodeStrictURI (/home/my/ui-auth/node_modules/next-secure-headers/lib/rules/shared/uri-encoder.js:4:34)
at Array.map (<anonymous>)
at convertReportingDirectiveToString (/home/my/***/node_modules/next-secure-headers/lib/rules/content-security-policy.js:109:62)
at createContentSecurityPolicyOptionHeaderValue (/home/my/***/node_modules/next-secure-headers/lib/rules/content-security-policy.js:127:9)
at Object.createContentSecurityPolicyHeader (/home/my/***/node_modules/next-secure-headers/lib/rules/content-security-policy.js:139:19)
at Object.createHeadersObject (/home/my/***/node_modules/next-secure-headers/lib/index.js:18:23)
at createSecureHeaders (/home/my/***/node_modules/next-secure-headers/lib/index.js:37:35) {
input: '/api/csp_violation',
code: 'ERR_INVALID_URL'
}
To Reproduce
Create following next.config.mjs
import{createSecureHeaders,}from'next-secure-headers';letcspDirectives={defaultSrc: "'self'",styleSrc: ["'self'","https://stackpath.bootstrapcdn.com"],};// any directivescspDirectives.reportURI='/api/csp_violation';exportdefault{asyncheaders(){return[{source: '/(.*)',headers: createSecureHeaders({contentSecurityPolicy: {directives: cspDirectives,},referrerPolicy: 'no-referrer',}),},];},}
And run yarn run dev.
Expected behavior
No crash.
Helmet allows relative report-uri in CSP (e.g /api/csp_violation).
馃挬 Bug Report
A summary of the bug
next-secure-headers
crashes if you try to use a relative URL inreportURI
.Here you can see what
next-secure-headers
is using URL for that directive:https://github.com/jagaapple/next-secure-headers/blob/master/src/rules/content-security-policy.ts#L197
https://github.com/jagaapple/next-secure-headers/blob/master/src/rules/shared/uri-encoder.ts
And it is a bad idea.
Current behavior
Currently it crashes the server on its start:
To Reproduce
Create following
next.config.mjs
And run
yarn run dev
.Expected behavior
No crash.
Helmet allows relative
report-uri
in CSP (e.g/api/csp_violation
).Also, specification allows such URIs:
https://w3c.github.io/webappsec-csp/#directive-report-uri
https://datatracker.ietf.org/doc/html/rfc3986#section-4.1
Environment
v2.2.0
v16.3.0
Ubuntu 16.04
The text was updated successfully, but these errors were encountered: