Vercel Toolbar with strict CSP? (follow-up)

paulvandyk · October 31, 2024, 6:24pm

This is a follow-up of Vercel Toolbar with strict CSP? since the thread has been closed and replies are no longer possible.

I wanted to see if there are any plans to support this? currently we need to do some dirty trickets to get the toolbar to work, for example:

  // allow toolbar for internal team: see https://community.vercel.com/t/vercel-toolbar-with-strict-csp/471
  const disableVercelToolbar = !rootData?.user?.email?.includes('@acme.com')

  // see: https://web.dev/articles/strict-csp
  const cspHeader = createCspHeader(
    {
      'script-src': `'nonce-${nonce}' 'unsafe-inline' 'unsafe-eval' https: http:`,
      'object-src': "'none'",
      'base-uri': "'none'",
    },
    {
      includeHeaderName: false,
      presets: disableVercelToolbar ? [{ 'script-src': "'strict-dynamic'" }] : [],
    }
  )

  responseHeaders.set('Content-Security-Policy', cspHeader)

It would be great if we could get some support with strict-dynamic + nonce csp headers.

amyegan · October 31, 2024, 9:29pm

As you probably saw in the other post, the docs have some info on using a Content Security Policy. But the toolbar does not currently support strict-dynamic CSP.

Pauline already shared the previous post with the engineering team, and I’ll link this post as well.

amyegan · October 31, 2024, 9:33pm

I moved this topic to the Feedback category and extended the expiration date so others can add join the conversation

paulvandyk · March 3, 2025, 4:04pm

Any hope to see this land some time this year?

mrmckeb · June 20, 2025, 5:12am

I’ve just hit this issue today too. We use the Toolbar in all environments - local/dev, preview, and production - so this means we have to leave ‘unsafe-inline’ styles on for now.

If the toolbar could accept a nonce, or use the one from middleware, that would be great.

deammer · September 3, 2025, 10:26am

This issue prevents my company from using the Vercel toolbar, which is a shame. It would be so easy to pass a nonce to the toolbar!

amyegan · September 4, 2025, 6:27pm

If you add the toolbar using the @vercel/toolbar package, you can pass the nonce as a prop like <VercelToolbar nonce={nonce} />

This is experimental. It’s not fully documented and not many teams have used it yet. If you try it, please let us know whether it works well or needs iteration

mpost-hai · September 4, 2025, 7:39pm

This approach doesn’t make sense at all if you’re generating the nonces in middleware. CSP is delivered as a series of response headers, so generating the values in middleware seems to make the most sense, right?

ryanparker · November 26, 2025, 2:03am

Passing nonce to the toolbar doesn’t resolve the iOS The operation is insecure error

Topic		Replies	Views
Vercel Toolbar with strict CSP? Help	3	198	September 7, 2024
Critical CSP Bug: Platform blocks 'unsafe-eval' despite correct config Help security	5	62	November 26, 2025
Persistent Content Security Policy (CSP) Caching on Help	1	82	December 5, 2025
The Content Security Policy (CSP) is causing the website to load blank Help	3	113	September 29, 2025
Builder returned invalid routes: should NOT be longer than 4096 char Feedback nextjs	4	158	September 23, 2025

Vercel Toolbar with strict CSP? (follow-up)

Related topics