I'm trying to set a restrictive CSP for a secure application, and my use case not not allow for 'unsafe-eval'.
By default NextJS and Webpack use eval-source-maps that use eval() repeatedly, meaning this breaks my development environment. I understand these source maps are not used in production, but this means that I have to use different settings in my dev and prodction environments, which makes it very hard to debug CSP related issues.
I tried the solutions proposed by a few open issues on Github, listed below, but with no avail. NextJS simply overrides the source maps back to eval-source-maps when in dev, even when you explicitly add to the config to set devtool: false or devtool: source-map. It's wild to me that it automatically overrides the developer's manual override back to the default setting which is causing the problem, but thats where we're at!
Has anyone solved this? It would seem odd to me to intentionally use less secure settings for dev env when building an app that requires high levels of security.
Relevant github issues: https://github.com/vercel/next.js/discussions/20294 https://github.com/webpack/webpack/issues/4899 https://github.com/vercel/next.js/discussions/21425