Embarrassing follow-up to PR #4. I wrote:
script-src: 'unsafe-inline' https://www.googletagmanager.com;
img-src: www.googletagmanager.com;
Colons. There shouldn't be colons. CSP directive syntax is <directive-name> <source-list>;, space-separated, no punctuation between the name and the list.
The browser's reaction to a malformed directive is to silently ignore it, which is the most useless possible failure mode for a developer who wants to know whether their fix worked. I only caught it by pasting the live response header into one of those CSP validator sites out of suspicion that nothing had changed.
The fix
- script-src: 'unsafe-inline' https://www.googletagmanager.com;
- img-src: www.googletagmanager.com;
+ script-src 'unsafe-inline' https://www.googletagmanager.com;
+ img-src www.googletagmanager.com;Two characters removed. Worth shipping as its own PR because it makes the intent visible in git history: PR #4 added the directives, PR #5 actually made them work. Future me reading git log next.config.js will understand the sequence better than if I'd squashed them.
Lesson I keep re-learning
If a config change "did nothing," check whether the config was actually parsed. Silent-ignore-on-parse-error is the worst failure mode in all of software, and CSP is one of dozens of config formats that handle it that way.