Issue Station
Sign In
Tools hereToolbox

nextjs - 💡(How to fix) Fix next-route-announcer causes CSP style-src violation due to inline styles [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
vercel/next.js#83764Fetched 2026-04-08 02:21:37
View on GitHub
Comments
1
Participants
2
Timeline
10
Reactions
0
Author
OoMNoOOoMNoO
Participants
github-actions[bot]github-actions[bot]OoMNoOOoMNoO
Timeline (top)
labeled ×6closed ×1commented ×1issue_type_added ×1

Error Message

  1. Observe the CSP violation error for the next-route-announcer's inline style in the console.

Fix Action

Fix / Workaround

  • The workaround of adding 'unsafe-inline' to the CSP is not a viable solution as it defeats a primary security benefit of CSP.

  • The current fixes require patching node_modules, which is unsustainable and breaks the warranty of using a managed framework.

Temporary Workaround: https://github.com/vercel/next.js/discussions/48097#discussioncomment-14392712

Code Example

2. **Implement a strict CSP.** This can be done using Next.js middleware (

---

// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  // Generate a nonce (only for demonstration, use a more secure method in production)
  const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
  const cspHeader = `
    default-src 'self';
    script-src 'self' 'nonce-${nonce}' 'strict-dynamic';
    style-src 'self' 'nonce-${nonce}';
    img-src 'self' blob: data:;
    font-src 'self';
    object-src 'none';
    base-uri 'self';
    form-action 'self';
    frame-ancestors 'none';
    upgrade-insecure-requests;
  `.replace(/\s{2,}/g, ' ').trim()

  // Apply the CSP header and pass the nonce
  const response = NextResponse.next()
  response.headers.set('Content-Security-Policy', cspHeader)
  response.headers.set('x-nonce', nonce) // Pass nonce for potential use in _document.js

  return response
}

export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico (favicon file)
     */
    {
      source: '/((?!_next/static|_next/image|favicon.ico).*)',
      missing: [
        { type: 'header', key: 'next-router-prefetch' },
        { type: 'header', key: 'purpose', value: 'prefetch' },
      ],
    },
  ],
}

---

Operating System:
  Platform: linux
  Arch: x64
  Version: #63~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 22 19:00:15 UTC 2
  Available memory (MB): 14935
  Available CPU cores: 4
Binaries:
  Node: 20.11.1
  npm: 10.7.0
  Yarn: 1.22.22
  pnpm: N/A
Relevant Packages:
  next: 15.5.3 // Latest available version is detected (15.5.3).
  eslint-config-next: 14.2.3
  react: 19.1.1
  react-dom: 19.1.1
  typescript: 5.9.2
Next.js Config:
  output: N/A
RAW_BUFFERClick to expand / collapse

Link to the code that reproduces this issue

https://github.com/vercel/next.js

To Reproduce

  1. Create a new Next.js app (or use an existing one): npx create-next-app@latest csp-test-app

  2. Implement a strict CSP. This can be done using Next.js middleware (middleware.ts):

// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  // Generate a nonce (only for demonstration, use a more secure method in production)
  const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
  const cspHeader = `
    default-src 'self';
    script-src 'self' 'nonce-${nonce}' 'strict-dynamic';
    style-src 'self' 'nonce-${nonce}';
    img-src 'self' blob: data:;
    font-src 'self';
    object-src 'none';
    base-uri 'self';
    form-action 'self';
    frame-ancestors 'none';
    upgrade-insecure-requests;
  `.replace(/\s{2,}/g, ' ').trim()

  // Apply the CSP header and pass the nonce
  const response = NextResponse.next()
  response.headers.set('Content-Security-Policy', cspHeader)
  response.headers.set('x-nonce', nonce) // Pass nonce for potential use in _document.js

  return response
}

export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico (favicon file)
     */
    {
      source: '/((?!_next/static|_next/image|favicon.ico).*)',
      missing: [
        { type: 'header', key: 'next-router-prefetch' },
        { type: 'header', key: 'purpose', value: 'prefetch' },
      ],
    },
  ],
}

  1. Run the application in production mode: npm run build && npm start

  2. Open the browser's developer console and navigate between pages using the Next.js <Link> component.

  3. Observe the CSP violation error for the next-route-announcer's inline style in the console.

Current vs. Expected behavior

Current BehaviorThe next-route-announcer component renders with inline styles (style="position: absolute;..."), causing a style-src Content Security Policy violation when a strict CSP without 'unsafe-inline' is used.
Expected BehaviorNext.js should either automatically apply the provided CSP nonce to the announcer's inline styles (making it compliant) or provide a configuration option to disable the component entirely for projects that manage accessibility announcements manually.

Provide environment information

Operating System:
  Platform: linux
  Arch: x64
  Version: #63~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 22 19:00:15 UTC 2
  Available memory (MB): 14935
  Available CPU cores: 4
Binaries:
  Node: 20.11.1
  npm: 10.7.0
  Yarn: 1.22.22
  pnpm: N/A
Relevant Packages:
  next: 15.5.3 // Latest available version is detected (15.5.3).
  eslint-config-next: 14.2.3
  react: 19.1.1
  react-dom: 19.1.1
  typescript: 5.9.2
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Connection, Dynamic Routes, Runtime, Pages Router, Route Handlers

Which stage(s) are affected? (Select all that apply)

next build (local)

Additional context

  • This is not a theoretical issue but a concrete blocker for developers in regulated industries or those prioritizing security hardening.

  • The workaround of adding 'unsafe-inline' to the CSP is not a viable solution as it defeats a primary security benefit of CSP.

  • The current fixes require patching node_modules, which is unsustainable and breaks the warranty of using a managed framework.

  • This issue is related to existing discussions #48097, but focuses specifically on the CSP violation aspect, which is a critical and distinct problem.

  • Next.js already has sophisticated nonce handling for other resources; applying this to the announcer would be a consistent and logical extension of existing capabilities.

Temporary Workaround: https://github.com/vercel/next.js/discussions/48097#discussioncomment-14392712

extent analysis

TL;DR

Apply a Content Security Policy (CSP) nonce to the next-route-announcer component's inline styles or provide a configuration option to disable it.

Guidance

  • Review the middleware.ts file to ensure the CSP nonce is correctly generated and applied to the response headers.
  • Investigate modifying the next-route-announcer component to accept and apply the CSP nonce to its inline styles, potentially through a custom implementation or a future update to Next.js.
  • Consider exploring alternative accessibility announcement solutions that do not rely on inline styles, mitigating the CSP violation issue.
  • Evaluate the temporary workaround provided in the discussion comment, which may offer a short-term solution until a more permanent fix is available.

Example

No code example is provided due to the complexity of the issue and the need for a more comprehensive solution.

Notes

The provided environment information and package versions are crucial in understanding the context of the issue. However, without direct access to the Next.js codebase or more specific details on the next-route-announcer component, a definitive solution cannot be guaranteed.

Recommendation

Apply the temporary workaround, as it provides a short-term solution to the CSP violation issue while a more permanent fix is developed and integrated into Next.js. This approach allows for continued development and deployment of secure applications without completely disabling the CSP or resorting to less secure alternatives like 'unsafe-inline'.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#optimization#retriever error#indexing error#inference speed#output truncation

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING