Disagreement · 52c62f95-openai-0

CSP allows 'unsafe-inline' in style-src, weakening policy and contradicting comment

mismatch

repo e24ef98c·PR #5·reviewed 2 weeks ago

Primary finding

CSP allows 'unsafe-inline' in style-src, weakening policy and contradicting comment

mediumsecurityhigh

apps/web/middleware.ts:24-26
apps/web/middleware.ts:30

'unsafe-inline' in style-src permits inline styles, reducing CSP strictness and enabling CSS injection vectors. The surrounding comment explicitly claims no 'unsafe-inline', so the code both weakens security and misleads maintainers.

Recommendation

Remove 'unsafe-inline' from style-src for production builds. If inline styles are required during development, gate it by NODE_ENV (include only in development). If specific inline styles are needed in production, use nonces or hashes instead of 'unsafe-inline'.

Counterpart finding

CSP comment claims 'no unsafe-inline' but style-src includes 'unsafe-inline'

lowdocs-gaphigh

apps/web/middleware.ts:25-36

The block comment immediately above the CSP declares 'No unsafe-inline, no unsafe-eval — Next.js 16 + Tailwind v4 + next/font emit static styles that don't need either.' But the very next line sets style-src to 'self' 'unsafe-inline'. This is a deceptive comment that misrepresents the actual policy. A future reader (or a security reviewer relying on the comment) could be misled into believing inline styles are fully blocked when they are not. The trailing inline comment 'Tailwind utility classes are inline-equivalent in dev' further contradicts the leading comment and is itself wrong: Tailwind utility classes are class-based, not inline; what actually requires 'unsafe-inline' is Next.js's runtime-injected <style> tags or third-party inline styles, not Tailwind utilities.

Recommendation

Either (a) remove 'unsafe-inline' from style-src and fix any breakage with a nonce/hash strategy, or (b) update the block comment to accurately state that style-src retains 'unsafe-inline' and explain why. Also correct the misleading inline comment about Tailwind.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

mediumdocs-gap
Comment in middleware.ts misstates CSP policy ('No unsafe-inline') while code includes it
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗