report-only headers don't work with SSR

Hey! I'm using the package in a repo that uses `getServerSideProps`. Following the [strict CSP configuration](https://next-safe-middleware.vercel.app/guides/strict-csp-configuration),  every getServerSideProps is wrapped with gsspWithNonce, and it works fine, setting the correct _Content-Security-Policy_ header.

However,  if `reportOnly` is set to true, it ends up setting an empty _Content-Security-Policy-Report-Only_ header.
After some debugging, I've found out that although the headers are correctly set in the middleware, they get overridden with an empty value on the document `getIinitialProps` because getCspInitialProps uses a [getter that contains a bug](https://github.com/nibtime/next-safe-middleware/blob/%40next-safe/middleware%400.10.0/packages/next-safe-middleware/src/document/NextPageContext/csp.ts#L19):

<img width="543" alt="Screenshot 2023-08-09 at 11 54 11" src="https://github.com/nibtime/next-safe-middleware/assets/25818826/f4cf09fd-142d-4572-8d85-d5b0b7610106">

Notice that the directives returned from the report-only block should use the report-only header, _i.e._:
```ts
if (cspContentReportOnly) {
  return {
    directives: fromCspContent(cspContentReportOnly),
    reportOnly: true,
  };
}
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

report-only headers don't work with SSR #97

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

report-only headers don't work with SSR #97

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions