Split up the lib into multiple packages

[nibtime]

Motivation

The main problem regarding maintainability is that it is the single package that depends on latest Next as a whole.

• to support more setups/versions of Next
• to support next export,
• decoupling from Vercel for more hosting providers.
• to put out major releases gradually for the stuff that works and is tested and keep the more experimental packages in the minors.

@strict-csp/builder

• basic utilities with typing/IntelliSense for dealing with CSPs, parse/stringify, merge, etc. with fluent builder interface
• with stackable directive presets (presets for CSP directives #43) for services (GitHub, Vercel, Netlify, headless CMS, Google Fonts ....)
• with separate crypto bundles for node and V8 runtime (@strict-csp/builder/dist/node, @strict-csp/builder/dist/v8) that include algorithms for hashing and nonce generation

Dependencies

none

@strict-csp/next-ssr

• injects hashes into scripts with src during prerender or loads them by hashed trusted inline proxy
• processes Head and initialProps.html for sources
• writes out static CSP manifest to _next/~csp/csp-manifest.json (Static CSP manifest #40) for post-build-processing
• additional processing of sources on top of scripts and inline styles can be implemented
• augment CSP with nonce for dynamic pages

Dependencies

• @strict-csp/builder
• next >= 11 (peer) - the lowest version that supports next/script)

References

vercel/next.js#23993 (comment). This is a good reference for HTML processing for CSP with cheerio

@strict-csp/next-headers

• build-time post-processing of _next/~csp/csp-manifest.json
• can write out / extend headers with CSP configuration + data from CSP manifest for several hosting providers (vercel.json, firebase.json, Netlify _headers, ...)
• enables hash-based strict CSP by Response header with reporting for static sites with next export

Dependencies

• @strict-csp/builder
• @strict-csp/next-ssr (peer)

Resources

• blueprint of a package with post-build processing and good DX: https://github.com/iamvishnusankar/next-sitemap#readme

@next-middleware/chainable

• utilities to compose/chain middleware, required to ship reusable middleware with a package

Dependencies

• next >= 12.2.4 (peer) - with stable root-level middleware and routing bugs fixed

@strict-csp/next-middleware

• will have the best DX and versatility, with composable/chainable configuration
• can factor in dynamic request data (Browser + Version) for CSP configuration

Dependencies

• @strict-csp/builder
• @strict-csp/next-ssr (peer)
• @next-middleware/chainable

Originally posted by @nibtime in #60 (comment)