diff --git a/examples/with-dynamic-csp/README.md b/examples/with-dynamic-csp/README.md
new file mode 100644
index 0000000000000..56ad655092f73
--- /dev/null
+++ b/examples/with-dynamic-csp/README.md
@@ -0,0 +1,48 @@
+[![Deploy to now](https://deploy.now.sh/static/button.svg)](https://deploy.now.sh/?repo=https://github.com/zeit/next.js/tree/master/examples/with-dynamic-csp)
+
+# Strict CSP example
+
+## How to use
+
+### Using `create-next-app`
+
+Execute [`create-next-app`](https://github.com/segmentio/create-next-app) with [Yarn](https://yarnpkg.com/lang/en/docs/cli/create/) or [npx](https://github.com/zkat/npx#readme) to bootstrap the example:
+
+```bash
+npx create-next-app --example with-dynamic-csp with-dynamic-csp-app
+# or
+yarn create next-app --example with-dynamic-csp with-dynamic-csp-app
+```
+
+### Download manually
+
+Download the example:
+
+```bash
+curl https://codeload.github.com/zeit/next.js/tar.gz/canary | tar -xz --strip=2 next.js-canary/examples/with-dynamic-csp
+cd with-dynamic-csp
+```
+
+Install it and run:
+
+```bash
+npm install
+npm run dev
+# or
+yarn
+yarn dev
+```
+
+Deploy it to the cloud with [now](https://zeit.co/now) ([download](https://zeit.co/download))
+
+```bash
+now
+```
+
+## The idea behind the example
+
+**If** you are having difficulty setting up a *standard* Content Security Policy, then you might need to use a [dynamic policy](https://csp.withgoogle.com/docs/strict-csp.html). This is less secure than effective whitelisting, but if your project cannot employ effective whitelisting, this can be a secure alternative. For it to work, we need to generate a nonce on every request, so this is limited to server rendered projects.
+
+Next.js supports generating nonces for our CSP out of the box.
+
+Note that when using `style-src 'nonce-{style-nonce}' 'unsafe-inline';` the nonce is automatically applied to your `styled-jsx` styles when using `<style jsx>`. This is the most secure way of using `styled-jsx`. Next.js adds a meta tag to support [Material UI's CSS in JSS](https://material-ui.com/css-in-js/advanced/#content-security-policy-csp) or when using [JSS](https://github.com/cssinjs/jss/blob/master/docs/csp.md) as well.
diff --git a/examples/with-dynamic-csp/next.config.js b/examples/with-dynamic-csp/next.config.js
new file mode 100644
index 0000000000000..8e8885360816c
--- /dev/null
+++ b/examples/with-dynamic-csp/next.config.js
@@ -0,0 +1,3 @@
+module.exports = {
+  contentSecurityPolicy: "base-uri 'none';object-src 'none';script-src: 'nonce-{script-nonce}' 'strict-dynamic' 'unsafe-inline' http: https:;style-src 'nonce-{style-nonce}' 'unsafe-inline';"
+}
diff --git a/examples/with-strict-csp-hash/package.json b/examples/with-dynamic-csp/package.json
similarity index 70%
rename from examples/with-strict-csp-hash/package.json
rename to examples/with-dynamic-csp/package.json
index bcb456b4fdf37..f9f8ab2838820 100644
--- a/examples/with-strict-csp-hash/package.json
+++ b/examples/with-dynamic-csp/package.json
@@ -1,6 +1,6 @@
 {
-  "name": "with-strict-csp-hash",
-  "version": "1.0.0",
+  "name": "with-dynamic-csp",
+  "version": "2.0.0",
   "scripts": {
     "dev": "next",
     "build": "next build",
@@ -10,6 +10,5 @@
     "next": "latest",
     "react": "^16.0.0",
     "react-dom": "^16.0.0"
-  },
-  "license": "ISC"
+  }
 }
diff --git a/examples/with-strict-csp/pages/_document.js b/examples/with-dynamic-csp/pages/_document.js
similarity index 60%
rename from examples/with-strict-csp/pages/_document.js
rename to examples/with-dynamic-csp/pages/_document.js
index 05e710f6f3c48..924d0f7ac1e57 100644
--- a/examples/with-strict-csp/pages/_document.js
+++ b/examples/with-dynamic-csp/pages/_document.js
@@ -7,20 +7,26 @@ const inlineScript = (body, nonce) => (
 export default class MyDocument extends Document {
   static async getInitialProps (ctx) {
     const initialProps = await Document.getInitialProps(ctx)
-    const { nonce } = ctx.res.locals
-    return { ...initialProps, nonce }
+    const { scriptNonce, styleNonce } = ctx
+    return { ...initialProps, scriptNonce, styleNonce }
   }
 
   render () {
-    const { nonce } = this.props
+    const { scriptNonce, styleNonce } = this.props
     return (
       <html>
-        <Head nonce={nonce}>
-          {inlineScript(`console.log('Inline script with nonce')`, nonce)}
+        <Head>
+          <style nonce={styleNonce}>{`
+            body {
+              background: black;
+              color: white;
+            }
+          `}</style>
+          {inlineScript(`console.log('Inline script with nonce')`, scriptNonce)}
         </Head>
         <body>
           <Main />
-          <NextScript nonce={nonce} />
+          <NextScript />
         </body>
       </html>
     )
diff --git a/examples/with-dynamic-csp/pages/index.js b/examples/with-dynamic-csp/pages/index.js
new file mode 100644
index 0000000000000..023b00939e083
--- /dev/null
+++ b/examples/with-dynamic-csp/pages/index.js
@@ -0,0 +1,8 @@
+export default () => <div>
+  <h1>Hello World</h1>
+  <style jsx>{`
+    h1 {
+      font-size: 150px;
+    }
+  `}</style>
+</div>
diff --git a/examples/with-strict-csp-hash/README.md b/examples/with-strict-csp-hash/README.md
deleted file mode 100644
index 21b5e667c21f9..0000000000000
--- a/examples/with-strict-csp-hash/README.md
+++ /dev/null
@@ -1,48 +0,0 @@
-[![Deploy to now](https://deploy.now.sh/static/button.svg)](https://deploy.now.sh/?repo=https://github.com/zeit/next.js/tree/master/examples/with-strict-csp-hash)
-
-# Example app with strict CSP generating script hash
-
-## How to use
-
-### Using `create-next-app`
-
-Execute [`create-next-app`](https://github.com/segmentio/create-next-app) with [Yarn](https://yarnpkg.com/lang/en/docs/cli/create/) or [npx](https://github.com/zkat/npx#readme) to bootstrap the example:
-
-```bash
-npx create-next-app --example with-strict-csp-hash with-strict-csp-hash-app
-# or
-yarn create next-app --example with-strict-csp-hash with-strict-csp-hash-app
-```
-
-### Download manually
-
-Download the example:
-
-```bash
-curl https://codeload.github.com/zeit/next.js/tar.gz/canary | tar -xz --strip=2 next.js-canary/examples/with-strict-csp-hash
-cd with-strict-csp-hash
-```
-
-Install it and run:
-
-```bash
-npm install
-npm run dev
-# or
-yarn
-yarn dev
-```
-
-Deploy it to the cloud with [now](https://zeit.co/now) ([download](https://zeit.co/download))
-
-```bash
-now
-```
-
-## The idea behind the example
-
-This example features how you can set up a strict CSP for your pages whitelisting next's inline bootstrap script by hash.
-In contrast to the example `with-strict-csp` based on nonces, this way doesn't require running a server to generate fresh nonce values on every document request.
-It defines the CSP by document `meta` tag.
-
-Note: There are still valid cases for using a nonce in case you need to inline scripts or styles for which calculating a hash is not feasible.
diff --git a/examples/with-strict-csp-hash/pages/_document.js b/examples/with-strict-csp-hash/pages/_document.js
deleted file mode 100644
index a894ff12f5397..0000000000000
--- a/examples/with-strict-csp-hash/pages/_document.js
+++ /dev/null
@@ -1,26 +0,0 @@
-import crypto from 'crypto'
-import Document, { Head, Main, NextScript } from 'next/document'
-
-const cspHashOf = (text) => {
-  const hash = crypto.createHash('sha256')
-  hash.update(text)
-  return `'sha256-${hash.digest('base64')}'`
-}
-
-export default class extends Document {
-  render () {
-    const csp = `default-src 'self'; script-src 'self' ${cspHashOf(NextScript.getInlineScriptSource(this.props))}`
-
-    return (
-      <html>
-        <Head>
-          <meta httpEquiv='Content-Security-Policy' content={csp} />
-        </Head>
-        <body>
-          <Main />
-          <NextScript />
-        </body>
-      </html>
-    )
-  }
-}
diff --git a/examples/with-strict-csp-hash/pages/index.js b/examples/with-strict-csp-hash/pages/index.js
deleted file mode 100644
index 3d446a4e89b82..0000000000000
--- a/examples/with-strict-csp-hash/pages/index.js
+++ /dev/null
@@ -1,3 +0,0 @@
-export default () => (
-  <div>Hello World</div>
-)
diff --git a/examples/with-strict-csp/README.md b/examples/with-strict-csp/README.md
deleted file mode 100644
index d3ea38d8fe6bf..0000000000000
--- a/examples/with-strict-csp/README.md
+++ /dev/null
@@ -1,46 +0,0 @@
-[![Deploy to now](https://deploy.now.sh/static/button.svg)](https://deploy.now.sh/?repo=https://github.com/zeit/next.js/tree/master/examples/with-strict-csp)
-
-# Strict CSP example
-
-## How to use
-
-### Using `create-next-app`
-
-Execute [`create-next-app`](https://github.com/segmentio/create-next-app) with [Yarn](https://yarnpkg.com/lang/en/docs/cli/create/) or [npx](https://github.com/zkat/npx#readme) to bootstrap the example:
-
-```bash
-npx create-next-app --example with-strict-csp with-strict-csp-app
-# or
-yarn create next-app --example with-strict-csp with-strict-csp-app
-```
-
-### Download manually
-
-Download the example:
-
-```bash
-curl https://codeload.github.com/zeit/next.js/tar.gz/canary | tar -xz --strip=2 next.js-canary/examples/with-strict-csp
-cd with-strict-csp
-```
-
-Install it and run:
-
-```bash
-npm install
-npm run dev
-# or
-yarn
-yarn dev
-```
-
-Deploy it to the cloud with [now](https://zeit.co/now) ([download](https://zeit.co/download))
-
-```bash
-now
-```
-
-## The idea behind the example
-
-If you want to implement a CSP, the most effective way is to follow the [strict CSP](https://csp.withgoogle.com/docs/strict-csp.html) approach. For it to work, we need to generate a nonce on every request.
-
-This example uses [Helmet](https://github.com/helmetjs/helmet) to configure the CSP and add the appropriate headers to all server responses. The nonce is generated with [uuid](https://github.com/kelektiv/node-uuid). Then we can pass the nonce to `<Head>` and `<NextScript>` in the custom `<Document>`.
diff --git a/examples/with-strict-csp/csp.js b/examples/with-strict-csp/csp.js
deleted file mode 100644
index c775c1f664a8d..0000000000000
--- a/examples/with-strict-csp/csp.js
+++ /dev/null
@@ -1,31 +0,0 @@
-const helmet = require('helmet')
-const uuidv4 = require('uuid/v4')
-
-module.exports = function csp (app) {
-  // Create a nonce on every request and make it available to other middleware
-  app.use((req, res, next) => {
-    res.locals.nonce = Buffer.from(uuidv4()).toString('base64')
-    next()
-  })
-
-  const nonce = (req, res) => `'nonce-${res.locals.nonce}'`
-
-  const scriptSrc = [nonce, "'strict-dynamic'", "'unsafe-inline'", 'https:']
-
-  // In dev we allow 'unsafe-eval', so HMR doesn't trigger the CSP
-  if (process.env.NODE_ENV !== 'production') {
-    scriptSrc.push("'unsafe-eval'")
-  }
-
-  app.use(
-    helmet({
-      contentSecurityPolicy: {
-        directives: {
-          baseUri: ["'none'"],
-          objectSrc: ["'none'"],
-          scriptSrc
-        }
-      }
-    })
-  )
-}
diff --git a/examples/with-strict-csp/package.json b/examples/with-strict-csp/package.json
deleted file mode 100644
index 0a6bafdb7cb05..0000000000000
--- a/examples/with-strict-csp/package.json
+++ /dev/null
@@ -1,17 +0,0 @@
-{
-  "name": "with-strict-csp",
-  "version": "1.0.0",
-  "scripts": {
-    "dev": "node server.js",
-    "build": "next build",
-    "start": "NODE_ENV=production node server.js"
-  },
-  "dependencies": {
-    "express": "^4.14.0",
-    "helmet": "3.13.0",
-    "next": "latest",
-    "react": "^16.0.0",
-    "react-dom": "^16.0.0",
-    "uuid": "3.3.2"
-  }
-}
diff --git a/examples/with-strict-csp/pages/index.js b/examples/with-strict-csp/pages/index.js
deleted file mode 100644
index 3d446a4e89b82..0000000000000
--- a/examples/with-strict-csp/pages/index.js
+++ /dev/null
@@ -1,3 +0,0 @@
-export default () => (
-  <div>Hello World</div>
-)
diff --git a/examples/with-strict-csp/server.js b/examples/with-strict-csp/server.js
deleted file mode 100644
index 5ea055bb52e93..0000000000000
--- a/examples/with-strict-csp/server.js
+++ /dev/null
@@ -1,22 +0,0 @@
-const express = require('express')
-const next = require('next')
-const csp = require('./csp')
-
-const port = parseInt(process.env.PORT, 10) || 3000
-const dev = process.env.NODE_ENV !== 'production'
-const app = next({ dev })
-const handle = app.getRequestHandler()
-
-app.prepare()
-  .then(() => {
-    const server = express()
-
-    csp(server)
-
-    server.use(handle)
-
-    server.listen(port, (err) => {
-      if (err) throw err
-      console.log(`> Ready on http://localhost:${port}`)
-    })
-  })
diff --git a/packages/next-server/server/config.js b/packages/next-server/server/config.js
index b560b4754ecde..bd4cd50d1c0c3 100644
--- a/packages/next-server/server/config.js
+++ b/packages/next-server/server/config.js
@@ -11,6 +11,7 @@ const defaultConfig = {
   useFileSystemPublicRoutes: true,
   generateBuildId: () => null,
   generateEtags: true,
+  contentSecurityPolicy: null,
   pageExtensions: ['jsx', 'js']
 }
 
diff --git a/packages/next-server/server/next-server.ts b/packages/next-server/server/next-server.ts
index 54887e789c14a..adb8ec52038eb 100644
--- a/packages/next-server/server/next-server.ts
+++ b/packages/next-server/server/next-server.ts
@@ -4,6 +4,7 @@ import { resolve, join, sep } from 'path'
 import { parse as parseUrl, UrlWithParsedQuery } from 'url'
 import { parse as parseQs, ParsedUrlQuery } from 'querystring'
 import fs from 'fs'
+import nanoid from 'nanoid'
 import {renderToHTML} from './render'
 import {sendHTML} from './send-html'
 import {serveStatic} from './serve-static'
@@ -31,6 +32,9 @@ export default class Server {
   buildId: string
   renderOpts: {
     staticMarkup: boolean,
+    csp?: string,
+    scriptNonce?: string,
+    styleNonce?: string,
     distDir: string,
     buildId: string,
     generateEtags: boolean,
@@ -203,6 +207,18 @@ export default class Server {
   }
 
   public async render (req: IncomingMessage, res: ServerResponse, pathname: string, query: ParsedUrlQuery = {}, parsedUrl?: UrlWithParsedQuery): Promise<void> {
+    if (this.nextConfig.contentSecurityPolicy) {
+      if (!this.renderOpts.staticMarkup) {
+        this.renderOpts.csp = this.nextConfig.contentSecurityPolicy
+          .replace(/{script-nonce}/gi, () => (this.renderOpts.scriptNonce = this.genNonce()))
+          .replace(/{style-nonce}/gi, () => (this.renderOpts.styleNonce = this.genNonce()))
+
+        this.renderOpts.csp && res.setHeader('Content-Security-Policy', this.renderOpts.csp)
+      } else {
+        this.renderOpts.csp = this.nextConfig.contentSecurityPolicy
+      }
+    }
+
     const url: any = req.url
     if (isInternalUrl(url)) {
       return this.handleRequest(req, res, parsedUrl)
@@ -304,4 +320,8 @@ export default class Server {
       throw err
     }
   }
+
+  genNonce () {
+    return Buffer.from(nanoid(32)).toString('base64')
+  }
 }
diff --git a/packages/next-server/server/render.tsx b/packages/next-server/server/render.tsx
index e16907a612828..6f7a4fe9f12ce 100644
--- a/packages/next-server/server/render.tsx
+++ b/packages/next-server/server/render.tsx
@@ -57,6 +57,9 @@ type RenderOpts = {
   buildId: string,
   runtimeConfig?: {[key: string]: any},
   assetPrefix?: string,
+  csp?: string,
+  scriptNonce?: string,
+  styleNonce?: string,
   err?: Error|null,
   nextExport?: boolean,
   dev?: boolean
@@ -69,6 +72,9 @@ function renderDocument(Document: React.ComponentType, {
   query,
   buildId,
   assetPrefix,
+  csp,
+  scriptNonce,
+  styleNonce,
   runtimeConfig,
   nextExport,
   dynamicImportsIds,
@@ -106,6 +112,9 @@ function renderDocument(Document: React.ComponentType, {
       files={files}
       dynamicImports={dynamicImports}
       assetPrefix={assetPrefix}
+      csp={csp}
+      scriptNonce={scriptNonce}
+      styleNonce={styleNonce}
       {...docProps} 
     />
   )
@@ -116,6 +125,9 @@ export async function renderToHTML (req: IncomingMessage, res: ServerResponse, p
     err,
     buildId,
     distDir,
+    csp,
+    scriptNonce,
+    styleNonce,
     dev = false,
     staticMarkup = false
   } = renderOpts
@@ -137,7 +149,7 @@ export async function renderToHTML (req: IncomingMessage, res: ServerResponse, p
   if (!Document.prototype || !Document.prototype.isReactComponent) throw new Error('_document.js is not exporting a React component')
 
   const asPath = req.url
-  const ctx = { err, req, res, pathname, query, asPath }
+  const ctx = { err, req, res, pathname, query, asPath, csp, styleNonce, scriptNonce }
   const router = new Router(pathname, query, asPath)
   const props = await loadGetInitialProps(App, {Component, router, ctx})
 
diff --git a/packages/next-server/server/send-html.ts b/packages/next-server/server/send-html.ts
index ae1395a9c19a4..3b50fa1e4bc93 100644
--- a/packages/next-server/server/send-html.ts
+++ b/packages/next-server/server/send-html.ts
@@ -5,7 +5,11 @@ import { isResSent } from '../lib/utils'
 
 export function sendHTML (req: IncomingMessage, res: ServerResponse, html: string, { generateEtags }: {generateEtags: boolean}) {
   if (isResSent(res)) return
-  const etag = generateEtags ? generateETag(html) : undefined
+  const etag = generateEtags ? generateETag(
+    html
+      .replace(/<meta property="csp-nonce" content=".+"/gi, '<meta property="csp-nonce" content=""')
+      .replace(/nonce=".+"/gi, 'nonce=""')
+  ) : undefined
 
   if (fresh(req.headers, { etag })) {
     res.statusCode = 304
diff --git a/packages/next/README.md b/packages/next/README.md
index 485f8e321b02a..9428071d55d56 100644
--- a/packages/next/README.md
+++ b/packages/next/README.md
@@ -58,6 +58,7 @@
   - [Reusing the built-in error page](#reusing-the-built-in-error-page)
   - [Custom configuration](#custom-configuration)
     - [Setting a custom build directory](#setting-a-custom-build-directory)
+    - [Content Security Policy](#content-security-policy)
     - [Disabling etag generation](#disabling-etag-generation)
     - [Configuring the onDemandEntries](#configuring-the-ondemandentries)
     - [Configuring extensions looked for when resolving pages in `pages`](#configuring-extensions-looked-for-when-resolving-pages-in-pages)
@@ -198,9 +199,12 @@ Please see the [styled-jsx documentation](https://www.npmjs.com/package/styled-j
 
 <p></p>
 
-It's possible to use any existing CSS-in-JS solution. The simplest one is inline styles:
+It's possible to use any existing CSS-in-JS solution. 
+
+Inline styles should only be used for javascript animations (which should be replaced with CSS animations if possible).
 
 ```jsx
+// Never use inline styles for something as simple as this
 export default () => <p style={{ color: 'red' }}>hi there</p>
 ```
 
@@ -674,19 +678,24 @@ If you want to access the `router` object inside any component in your app, you
 import { withRouter } from 'next/router'
 
 const ActiveLink = ({ children, router, href }) => {
-  const style = {
-    marginRight: 10,
-    color: router.pathname === href ? 'red' : 'black'
-  }
-
   const handleClick = (e) => {
     e.preventDefault()
     router.push(href)
   }
 
   return (
-    <a href={href} onClick={handleClick} style={style}>
+    <a href={href} onClick={handleClick} className={router.pathname === href ? 'alive' : ''}>
       {children}
+      <style>{`
+        a {
+          margin-right: 10px;
+          color: black;
+        }
+
+        a.alive {
+          color: red;
+        }
+      `}</style>
     </a>
   )
 }
@@ -1269,6 +1278,77 @@ module.exports = {
 }
 ```
 
+#### Content Security Policy
+
+Next.js supports the use of [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) out of the box. CSP allows us to whitelist the domains that our app can communicate with to help prevent XSS attacks and minimize the damage that a rouge package might do.
+
+This is the policy Next.js is tested against:
+```
+default-src 'none';
+connect-src 'self';
+img-src 'self';
+script-src 'self';
+style-src 'nonce-{style-nonce}' 'unsafe-inline';
+```
+
+##### Whitelisting Tips
+
+When whitelisting, it's important to whitelist to a point of control. For example, you wouldn't want to whitelist `cdn.tld` because other users might have control over the assets served over this domain. You would want to be more specific like `cdn.tld/yourZoneOfControl`. Obviosuly not all external assets can be whitelisted in this way, so you always want to put some thought into how specific you should be, for instance if you were using a script called `helper` and you could find the asset at `example.com/helper/0.1.0.js` then maybe `example.com/helper` would make sense as a whitelist. This of course depends on the entity who controls the site to serve the expected files, so you should make sure all origins you whitelist are trustworthy.
+
+##### Applying a CSP to Next.js
+
+You can add a CSP to your app by adding a config option. You will have to test your site to ensure all your assets load, if any fail you just need to tweak your policy to support it (see [directives](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)).
+
+```js
+// next.config.js
+module.exports = {
+  contentSecurityPolicy: "default-src 'none'; connect-src 'self' img-src 'self'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';"
+}
+```
+This policy will work on a fresh Next.js install, but if you have added any external assets, you will have to add some origins to this policy. You will also have to use [custom error handling](#custom-error-handling), but this isn't too difficult.
+
+If you can't do custom error handling or are using static rendering, leave off the `'nonce-{style-nonce}`.
+
+##### Whitelisting Styles (`style-src`)
+
+Styles are inserted inline with `styled-jsx`, so must use a nonce to be secure. This is done automatically when you use `style-src 'nonce-{style-nonce}' 'unsafe-inline';` although you can only use `styled-jsx` to add styles to the page (`unsafe-inline` is for backwards compatibility).
+
+If you pull in any other stylesheets, you can whitelist them by adding them to the policy by using:
+```
+style-src https://cdn.tld/controlled 'nonce-{style-nonce}' 'unsafe-inline';
+```
+
+It is posible to use nonces with other CSS-in-JS libraries like [Material-UI](https://material-ui.com/css-in-js/advanced/#content-security-policy-csp) or [JSS](https://github.com/cssinjs/jss/blob/master/docs/csp.md) (See next code snippet to see where to get the generated nonce).
+
+##### Whitelisting Scripts (`script-src`)
+
+Next.js doesn't use any inline-scripts, and neither should you. If you need to use external scripts, then you can whitelist them in your policy.
+```
+script-src https://cdn.tld/controlled 'self';
+```
+
+However, if you cannot whitelist the scripts that you use in your app or you must use inline scripts, you can use:
+
+```
+script-src 'nonce-{script-nonce}' 'unsafe-inline' 'strict-dynamic' https: http:;
+```
+This should be used as a last resort and all scripts you import must have the nonce appended to it, which you can access like this:
+
+```js
+// pages/_document.js
+export default class MyDocument extends Document {
+  static async getInitialProps (ctx) {
+    const initialProps = await Document.getInitialProps(ctx)
+    const { scriptNonce, styleNonce } = ctx
+    return { ...initialProps, scriptNonce, styleNonce }
+  }
+
+  render () {
+    const { scriptNonce, styleNonce } = this.props
+  }
+}
+```
+
 #### Disabling etag generation
 
 You can disable etag generation for HTML pages depending on your cache strategy. If no configuration is specified then Next will generate etags for every page.
diff --git a/packages/next/build/webpack-config.js b/packages/next/build/webpack-config.js
index ed68e6d91a32c..f6f7e0167d1c9 100644
--- a/packages/next/build/webpack-config.js
+++ b/packages/next/build/webpack-config.js
@@ -15,8 +15,7 @@ import BuildManifestPlugin from './webpack/plugins/build-manifest-plugin'
 import ChunkNamesPlugin from './webpack/plugins/chunk-names-plugin'
 import { ReactLoadablePlugin } from './webpack/plugins/react-loadable-plugin'
 import {SERVER_DIRECTORY, REACT_LOADABLE_MANIFEST, CLIENT_STATIC_FILES_RUNTIME_WEBPACK, CLIENT_STATIC_FILES_RUNTIME_MAIN} from 'next-server/constants'
-import {NEXT_PROJECT_ROOT, NEXT_PROJECT_ROOT_NODE_MODULES, NEXT_PROJECT_ROOT_DIST_CLIENT, NEXT_PROJECT_ROOT_DIST_SERVER, DEFAULT_PAGES_DIR} from '../lib/constants'
-import AutoDllPlugin from 'autodll-webpack-plugin'
+import {NEXT_PROJECT_ROOT, NEXT_PROJECT_ROOT_NODE_MODULES, NEXT_PROJECT_ROOT_DIST_CLIENT, NEXT_PROJECT_ROOT_DIST_SERVER, NEXT_PROJECT_ROOT_DIST_STATIC, DEFAULT_PAGES_DIR} from '../lib/constants'
 import TerserPlugin from 'terser-webpack-plugin'
 import AssetsSizePlugin from './webpack/plugins/assets-size-plugin'
 
@@ -278,6 +277,19 @@ export default async function getBaseWebpackConfig (dir, {dev = false, isServer
           include: defaultLoaders.hotSelfAccept.options.include,
           use: defaultLoaders.hotSelfAccept
         },
+        // TODO: putting !isServer here causes problems?
+        {
+          include: [NEXT_PROJECT_ROOT_DIST_STATIC],
+          use: [
+            {
+              loader: 'emit-file-loader',
+              options: {
+                name: `static/runtime/${dev ? '[name]-[hash].[ext]' : '[name]-[hash].[ext]'}`,
+                importPath: true
+              }
+            }
+          ]
+        },
         {
           test: /\.(js|jsx)$/,
           include: [dir, NEXT_PROJECT_ROOT_DIST_CLIENT, DEFAULT_PAGES_DIR, /next-server[\\/]dist[\\/]lib/],
@@ -293,22 +305,6 @@ export default async function getBaseWebpackConfig (dir, {dev = false, isServer
       ].filter(Boolean)
     },
     plugins: [
-      // Precompile react / react-dom for development, speeding up webpack
-      dev && !isServer && new AutoDllPlugin({
-        filename: '[name]_[hash].js',
-        path: './static/development/dll',
-        context: dir,
-        entry: {
-          dll: [
-            'react',
-            'react-dom'
-          ]
-        },
-        config: {
-          mode: webpackMode,
-          resolve: resolveConfig
-        }
-      }),
       // This plugin makes sure `output.filename` is used for entry chunks
       new ChunkNamesPlugin(),
       !isServer && new ReactLoadablePlugin({
diff --git a/packages/next/build/webpack/loaders/emit-file-loader.js b/packages/next/build/webpack/loaders/emit-file-loader.js
index 7ab6020f58759..2c226f1b839cb 100644
--- a/packages/next/build/webpack/loaders/emit-file-loader.js
+++ b/packages/next/build/webpack/loaders/emit-file-loader.js
@@ -25,7 +25,7 @@ module.exports = function (content, sourceMap) {
   const interpolatedName = interpolateName(loaderUtils.interpolateName(this, name, opts), {name, opts})
   const emit = (code, map) => {
     this.emitFile(interpolatedName, code, map)
-    callback(null, code, map)
+    query.importPath ? callback(null, `module.exports = '${interpolatedName}';`) : callback(null, code, map)
   }
 
   if (query.transform) {
diff --git a/packages/next/build/webpack/plugins/build-manifest-plugin.js b/packages/next/build/webpack/plugins/build-manifest-plugin.js
index ab3f28c7fbdd7..9450ec7670578 100644
--- a/packages/next/build/webpack/plugins/build-manifest-plugin.js
+++ b/packages/next/build/webpack/plugins/build-manifest-plugin.js
@@ -12,13 +12,6 @@ export default class BuildManifestPlugin {
       const mainJsChunk = chunks.find((c) => c.name === CLIENT_STATIC_FILES_RUNTIME_MAIN)
       const mainJsFiles = mainJsChunk && mainJsChunk.files.length > 0 ? mainJsChunk.files.filter((file) => /\.js$/.test(file)) : []
 
-      for (const filePath of Object.keys(compilation.assets)) {
-        const path = filePath.replace(/\\/g, '/')
-        if (/^static\/development\/dll\//.test(path)) {
-          assetMap.devFiles.push(path)
-        }
-      }
-
       // compilation.entrypoints is a Map object, so iterating over it 0 is the key and 1 is the value
       for (const [, entrypoint] of compilation.entrypoints.entries()) {
         const result = ROUTE_NAME_REGEX.exec(entrypoint.name)
diff --git a/packages/next/client/dev-error-overlay/hot-dev-client.js b/packages/next/client/dev-error-overlay/hot-dev-client.js
index f2c5073d2eb39..ae2b2fefa1ff7 100644
--- a/packages/next/client/dev-error-overlay/hot-dev-client.js
+++ b/packages/next/client/dev-error-overlay/hot-dev-client.js
@@ -70,7 +70,8 @@ export default function connect (options) {
   ErrorOverlay.startReportingRuntimeErrors({
     onError: function () {
       hadRuntimeError = true
-    }
+    },
+    className: '__next_error__'
   })
 
   if (module.hot && typeof module.hot.dispose === 'function') {
diff --git a/packages/next/lib/constants.js b/packages/next/lib/constants.js
index ced263c849a85..0fdb78136317e 100644
--- a/packages/next/lib/constants.js
+++ b/packages/next/lib/constants.js
@@ -5,3 +5,4 @@ export const NEXT_PROJECT_ROOT_NODE_MODULES = join(NEXT_PROJECT_ROOT, 'node_modu
 export const DEFAULT_PAGES_DIR = join(NEXT_PROJECT_ROOT_DIST, 'pages')
 export const NEXT_PROJECT_ROOT_DIST_CLIENT = join(NEXT_PROJECT_ROOT_DIST, 'client')
 export const NEXT_PROJECT_ROOT_DIST_SERVER = join(NEXT_PROJECT_ROOT_DIST, 'server')
+export const NEXT_PROJECT_ROOT_DIST_STATIC = join(NEXT_PROJECT_ROOT_DIST, 'static')
diff --git a/packages/next/package.json b/packages/next/package.json
index 122006bd3a9d3..dbd2ce1e08936 100644
--- a/packages/next/package.json
+++ b/packages/next/package.json
@@ -50,7 +50,6 @@
     "@babel/template": "7.1.2",
     "ansi-html": "0.0.7",
     "async-sema": "^2.1.4",
-    "autodll-webpack-plugin": "0.4.2",
     "babel-core": "7.0.0-bridge.0",
     "babel-loader": "8.0.2",
     "babel-plugin-react-require": "3.0.0",
diff --git a/packages/next/pages/_document.js b/packages/next/pages/_document.js
index 560c402fd42d5..b4e3dc5f0cd77 100644
--- a/packages/next/pages/_document.js
+++ b/packages/next/pages/_document.js
@@ -13,9 +13,9 @@ export default class Document extends Component {
     _documentProps: PropTypes.any
   }
 
-  static getInitialProps ({ renderPage }) {
+  static getInitialProps ({ renderPage, styleNonce }) {
     const { html, head } = renderPage()
-    const styles = flush()
+    const styles = flush({ nonce: styleNonce })
     return { html, head, styles }
   }
 
@@ -58,7 +58,6 @@ export class Head extends Component {
 
       return <link
         key={file}
-        nonce={this.props.nonce}
         rel='stylesheet'
         href={`${assetPrefix}/_next/${file}`}
         crossOrigin={this.props.crossOrigin || process.crossOrigin}
@@ -67,21 +66,21 @@ export class Head extends Component {
   }
 
   getPreloadDynamicChunks () {
-    const { dynamicImports, assetPrefix } = this.context._documentProps
+    const { dynamicImports, assetPrefix, scriptNonce } = this.context._documentProps
     return dynamicImports.map((bundle) => {
       return <link
         rel='preload'
         key={bundle.file}
         href={`${assetPrefix}/_next/${bundle.file}`}
         as='script'
-        nonce={this.props.nonce}
+        nonce={this.props.nonce || scriptNonce}
         crossOrigin={this.props.crossOrigin || process.crossOrigin}
       />
     })
   }
 
   getPreloadMainLinks () {
-    const { assetPrefix, files } = this.context._documentProps
+    const { assetPrefix, files, scriptNonce } = this.context._documentProps
     if(!files || files.length === 0) {
       return null
     }
@@ -94,7 +93,7 @@ export class Head extends Component {
 
       return <link
         key={file}
-        nonce={this.props.nonce}
+        nonce={this.props.nonce || scriptNonce }
         rel='preload'
         href={`${assetPrefix}/_next/${file}`}
         as='script'
@@ -104,7 +103,7 @@ export class Head extends Component {
   }
 
   render () {
-    const { head, styles, assetPrefix, __NEXT_DATA__ } = this.context._documentProps
+    const { head, styles, csp, styleNonce, scriptNonce, staticMarkup, assetPrefix, __NEXT_DATA__ } = this.context._documentProps
     const { page, buildId } = __NEXT_DATA__
     const pagePathname = getPagePathname(page)
 
@@ -121,15 +120,28 @@ export class Head extends Component {
     }
 
     return <head {...this.props}>
+      { (staticMarkup && csp) ? <meta http-equiv="Content-Security-Policy" content={csp} /> : null }
+      { styleNonce ? <meta property="csp-nonce" content={styleNonce} /> : null }
       {children}
       {head}
-      {page !== '/_error' && <link rel='preload' href={`${assetPrefix}/_next/static/${buildId}/pages${pagePathname}`} as='script' nonce={this.props.nonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />}
-      <link rel='preload' href={`${assetPrefix}/_next/static/${buildId}/pages/_app.js`} as='script' nonce={this.props.nonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />
-      <link rel='preload' href={`${assetPrefix}/_next/static/${buildId}/pages/_error.js`} as='script' nonce={this.props.nonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />
+      {page !== '/_error' && <link rel='preload' href={`${assetPrefix}/_next/static/${buildId}/pages${pagePathname}`} as='script' nonce={this.props.nonce || scriptNonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />}
+      <link rel='preload' href={`${assetPrefix}/_next/static/${buildId}/pages/_app.js`} as='script' nonce={this.props.nonce || scriptNonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />
+      <link rel='preload' href={`${assetPrefix}/_next/static/${buildId}/pages/_error.js`} as='script' nonce={this.props.nonce || scriptNonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />
       {this.getPreloadDynamicChunks()}
       {this.getPreloadMainLinks()}
       {this.getCssLinks()}
       {styles || null}
+      { process.env.NODE_ENV !== 'production' && <style nonce={styleNonce}>{`
+        .__next_error__ {
+          position: fixed;
+          top: 0;
+          left: 0;
+          width: 100%;
+          height: 100%;
+          border: none;
+          z-index: 2147483647;
+        }
+      `}</style> }
     </head>
   }
 }
@@ -158,20 +170,20 @@ export class NextScript extends Component {
   }
 
   getDynamicChunks () {
-    const { dynamicImports, assetPrefix } = this.context._documentProps
+    const { dynamicImports, assetPrefix, scriptNonce } = this.context._documentProps
     return dynamicImports.map((bundle) => {
       return <script
         async
         key={bundle.file}
         src={`${assetPrefix}/_next/${bundle.file}`}
-        nonce={this.props.nonce}
+        nonce={this.props.nonce || scriptNonce}
         crossOrigin={this.props.crossOrigin || process.crossOrigin}
       />
     })
   }
 
   getScripts () {
-    const { assetPrefix, files } = this.context._documentProps
+    const { assetPrefix, files, scriptNonce } = this.context._documentProps
     if(!files || files.length === 0) {
       return null
     }
@@ -185,7 +197,7 @@ export class NextScript extends Component {
       return <script
         key={file}
         src={`${assetPrefix}/_next/${file}`}
-        nonce={this.props.nonce}
+        nonce={this.props.nonce || scriptNonce}
         async
         crossOrigin={this.props.crossOrigin || process.crossOrigin}
       />
@@ -198,7 +210,7 @@ export class NextScript extends Component {
   }
 
   render () {
-    const { staticMarkup, assetPrefix, devFiles, __NEXT_DATA__ } = this.context._documentProps
+    const { staticMarkup, assetPrefix, scriptNonce, devFiles, __NEXT_DATA__ } = this.context._documentProps
     const { page, buildId } = __NEXT_DATA__
     const pagePathname = getPagePathname(page)
 
@@ -207,13 +219,13 @@ export class NextScript extends Component {
     }
 
     return <Fragment>
-      {devFiles ? devFiles.map((file) => <script key={file} src={`${assetPrefix}/_next/${file}`} nonce={this.props.nonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />) : null}
-      {staticMarkup ? null : <script id="__NEXT_DATA__" type="application/json" nonce={this.props.nonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} dangerouslySetInnerHTML={{
+      {devFiles ? devFiles.map((file) => <script key={file} src={`${assetPrefix}/_next/${file}`} nonce={this.props.nonce || scriptNonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />) : null}
+      {staticMarkup ? null : <script id="__NEXT_DATA__" type="application/json" dangerouslySetInnerHTML={{
         __html: NextScript.getInlineScriptSource(this.context._documentProps)
       }} />}
-      {page !== '/_error' && <script async id={`__NEXT_PAGE__${page}`} src={`${assetPrefix}/_next/static/${buildId}/pages${pagePathname}`} nonce={this.props.nonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />}
-      <script async id={`__NEXT_PAGE__/_app`} src={`${assetPrefix}/_next/static/${buildId}/pages/_app.js`} nonce={this.props.nonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />
-      <script async id={`__NEXT_PAGE__/_error`} src={`${assetPrefix}/_next/static/${buildId}/pages/_error.js`} nonce={this.props.nonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />
+      {page !== '/_error' && <script async id={`__NEXT_PAGE__${page}`} src={`${assetPrefix}/_next/static/${buildId}/pages${pagePathname}`} nonce={this.props.nonce || scriptNonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />}
+      <script async id={`__NEXT_PAGE__/_app`} src={`${assetPrefix}/_next/static/${buildId}/pages/_app.js`} nonce={this.props.nonce || scriptNonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />
+      <script async id={`__NEXT_PAGE__/_error`} src={`${assetPrefix}/_next/static/${buildId}/pages/_error.js`} nonce={this.props.nonce || scriptNonce} crossOrigin={this.props.crossOrigin || process.crossOrigin} />
       {staticMarkup ? null : this.getDynamicChunks()}
       {staticMarkup ? null : this.getScripts()}
     </Fragment>
diff --git a/packages/next/pages/_error.js b/packages/next/pages/_error.js
index cef92cf782131..420858ca49b38 100644
--- a/packages/next/pages/_error.js
+++ b/packages/next/pages/_error.js
@@ -2,6 +2,7 @@ import React from 'react'
 import PropTypes from 'prop-types'
 import HTTPStatus from 'http-status'
 import Head from 'next-server/head'
+import styleSheet from '../static/error.css'
 
 export default class Error extends React.Component {
   static getInitialProps ({ res, err }) {
@@ -15,16 +16,17 @@ export default class Error extends React.Component {
       ? 'This page could not be found'
       : HTTPStatus[statusCode] || 'An unexpected error has occurred'
 
-    return <div style={styles.error}>
+    // TODO: Asset prefix and isnt _next a config option?
+    return <div className='error'>
       <Head>
         <meta name='viewport' content='width=device-width, initial-scale=1.0' />
+        <link rel='stylesheet' href={`/_next/${styleSheet}`} />
         <title>{statusCode}: {title}</title>
       </Head>
       <div>
-        <style dangerouslySetInnerHTML={{ __html: 'body { margin: 0 }' }} />
-        {statusCode ? <h1 style={styles.h1}>{statusCode}</h1> : null}
-        <div style={styles.desc}>
-          <h2 style={styles.h2}>{title}.</h2>
+        {statusCode ? <h1>{statusCode}</h1> : null}
+        <div className='desc'>
+          <h2>{title}.</h2>
         </div>
       </div>
     </div>
@@ -36,44 +38,3 @@ if (process.env.NODE_ENV !== 'production') {
     statusCode: PropTypes.number
   }
 }
-
-const styles = {
-  error: {
-    color: '#000',
-    background: '#fff',
-    fontFamily: '-apple-system, BlinkMacSystemFont, Roboto, "Segoe UI", "Fira Sans", Avenir, "Helvetica Neue", "Lucida Grande", sans-serif',
-    height: '100vh',
-    textAlign: 'center',
-    display: 'flex',
-    flexDirection: 'column',
-    alignItems: 'center',
-    justifyContent: 'center'
-  },
-
-  desc: {
-    display: 'inline-block',
-    textAlign: 'left',
-    lineHeight: '49px',
-    height: '49px',
-    verticalAlign: 'middle'
-  },
-
-  h1: {
-    display: 'inline-block',
-    borderRight: '1px solid rgba(0, 0, 0,.3)',
-    margin: 0,
-    marginRight: '20px',
-    padding: '10px 23px 10px 0',
-    fontSize: '24px',
-    fontWeight: 500,
-    verticalAlign: 'top'
-  },
-
-  h2: {
-    fontSize: '14px',
-    fontWeight: 'normal',
-    lineHeight: 'inherit',
-    margin: 0,
-    padding: 0
-  }
-}
diff --git a/packages/next/server/error-debug.js b/packages/next/server/error-debug.js
index 44f6f7c1b6ee8..3620129d871ed 100644
--- a/packages/next/server/error-debug.js
+++ b/packages/next/server/error-debug.js
@@ -1,19 +1,21 @@
 import React from 'react'
 import ansiHTML from 'ansi-html'
 import Head from 'next-server/head'
+import styleSheet from '../static/error-debug.css'
 
 // This component is rendered through dev-error-overlay on the client side.
 // On the server side it's rendered directly
 export default function ErrorDebug ({error, info}) {
   const { name, message } = error
   return (
-    <div style={styles.errorDebug}>
+    <div className='errorDebug'>
       <Head>
         <meta name='viewport' content='width=device-width, initial-scale=1.0' />
+        <link rel='stylesheet' href={`/_next/${styleSheet}`} />
       </Head>
       {
         name === 'ModuleBuildError' && message
-          ? <pre style={styles.stack} dangerouslySetInnerHTML={{ __html: ansiHTML(encodeHtml(message)) }} />
+          ? <pre className='stack' dangerouslySetInnerHTML={{ __html: ansiHTML(encodeHtml(message)) }} />
           : <StackTrace error={error} info={info} />
       }
     </div>
@@ -22,53 +24,16 @@ export default function ErrorDebug ({error, info}) {
 
 const StackTrace = ({ error: { name, message, stack }, info }) => (
   <div>
-    <div style={styles.heading}>{message || name}</div>
-    <pre style={styles.stack}>
+    <div className='heading'>{message || name}</div>
+    <pre className='stack'>
       {stack}
     </pre>
-    {info && <pre style={styles.stack}>
+    {info && <pre className='stack'>
       {info.componentStack}
     </pre>}
   </div>
 )
 
-export const styles = {
-  errorDebug: {
-    background: '#ffffff',
-    boxSizing: 'border-box',
-    overflow: 'auto',
-    padding: '24px',
-    position: 'fixed',
-    left: 0,
-    right: 0,
-    top: 0,
-    bottom: 0,
-    zIndex: 9999,
-    color: '#000000'
-  },
-
-  stack: {
-    fontFamily: '"SF Mono", "Roboto Mono", "Fira Mono", consolas, menlo-regular, monospace',
-    fontSize: '13px',
-    lineHeight: '18px',
-    color: '#777',
-    margin: 0,
-    whiteSpace: 'pre-wrap',
-    wordWrap: 'break-word',
-    marginTop: '16px'
-  },
-
-  heading: {
-    fontFamily: '-apple-system, system-ui, BlinkMacSystemFont, Roboto, "Segoe UI", "Fira Sans", Avenir, "Helvetica Neue", "Lucida Grande", sans-serif',
-    fontSize: '20px',
-    fontWeight: '400',
-    lineHeight: '28px',
-    color: '#000000',
-    marginBottom: '0px',
-    marginTop: '0px'
-  }
-}
-
 const encodeHtml = str => {
   return str.replace(/</g, '&lt;').replace(/>/g, '&gt;')
 }
diff --git a/packages/next/static/error-debug.css b/packages/next/static/error-debug.css
new file mode 100644
index 0000000000000..db7c845db2c93
--- /dev/null
+++ b/packages/next/static/error-debug.css
@@ -0,0 +1,34 @@
+.errorDebug {
+  background: #ffffff;
+  box-sizing: border-box;
+  overflow: auto;
+  padding: 24px;
+  position: fixed;
+  left: 0;
+  right: 0;
+  top: 0;
+  bottom: 0;
+  z-index: 9999;
+  color: #000000;
+}
+
+.stack {
+  font-family: "SF Mono", "Roboto Mono", "Fira Mono", consolas, menlo-regular, monospace;
+  font-size: 13px;
+  line-height: 18px;
+  color: #777;
+  margin: 0;
+  white-space: pre-wrap;
+  word-wrap: break-word;
+  margin-top: 16px;
+}
+
+.heading {
+  font-family: -apple-system, system-ui, BlinkMacSystemFont, Roboto, "Segoe UI", "Fira Sans", Avenir, "Helvetica Neue", "Lucida Grande", sans-serif;
+  font-size: 20px;
+  font-weight: 400;
+  line-height: 28px;
+  color: #000000;
+  margin-bottom: 0px;
+  margin-top: 0px;
+}
diff --git a/packages/next/static/error.css b/packages/next/static/error.css
new file mode 100644
index 0000000000000..8bc929d828944
--- /dev/null
+++ b/packages/next/static/error.css
@@ -0,0 +1,42 @@
+body {
+  margin: 0;
+}
+
+.error {
+  color: #000;
+  background: #fff;
+  font-family: -apple-system, BlinkMacSystemFont, Roboto, "Segoe UI", "Fira Sans", Avenir, "Helvetica Neue", "Lucida Grande", sans-serif;
+  height: 100vh;
+  text-align: center;
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+}
+
+.desc {
+  display: inline-block;
+  text-align: left;
+  line-height: 49px;
+  height: 49px;
+  vertical-align: middle;
+}
+
+h1 {
+  display: inline-block;
+  border-right: 1px solid rgba(0, 0, 0,.3);
+  margin: 0;
+  margin-right: 20px;
+  padding: 10px 23px 10px 0;
+  font-size: 24px;
+  font-weight: 500;
+  vertical-align: top;
+}
+
+h2 {
+  font-size: 14px;
+  font-weight: normal;
+  line-height: inherit;
+  margin: 0;
+  padding: 0;
+}
\ No newline at end of file
diff --git a/packages/next/taskfile.js b/packages/next/taskfile.js
index 9b7af2d5d5a96..ca55053364ee9 100644
--- a/packages/next/taskfile.js
+++ b/packages/next/taskfile.js
@@ -1,7 +1,7 @@
 const notifier = require('node-notifier')
 
 export async function compile (task) {
-  await task.parallel(['bin', 'server', 'nextbuild', 'nextbuildstatic', 'pages', 'lib', 'client'])
+  await task.parallel(['copyStatic', 'bin', 'server', 'nextbuild', 'nextbuildstatic', 'pages', 'lib', 'client'])
 }
 
 export async function bin (task, opts) {
@@ -39,6 +39,10 @@ export async function pages (task, opts) {
   await task.source(opts.src || 'pages/**/*.+(js|ts|tsx)').typescript().target('dist/pages')
 }
 
+export async function copyStatic (task, opts) {
+  await task.source(opts.src || 'static/**/*').target('dist/static')
+}
+
 export async function build (task) {
   await task.serial(['compile'])
 }
diff --git a/test/integration/app-aspath/next.config.js b/test/integration/app-aspath/next.config.js
new file mode 100644
index 0000000000000..958b0d906af15
--- /dev/null
+++ b/test/integration/app-aspath/next.config.js
@@ -0,0 +1,3 @@
+module.exports = {
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';"
+}
diff --git a/test/integration/app-document/next.config.js b/test/integration/app-document/next.config.js
index 45e0e07d1d98d..e95412c4bf484 100644
--- a/test/integration/app-document/next.config.js
+++ b/test/integration/app-document/next.config.js
@@ -1,3 +1,4 @@
 module.exports = {
+  contentSecurityPolicy: "default-src 'none'; script-src 'nonce-{script-nonce}' 'strict-dynamic' 'unsafe-inline' http: https:; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';",
   crossOrigin: 'anonymous'
 }
diff --git a/test/integration/app-document/pages/_document.js b/test/integration/app-document/pages/_document.js
index aa64345a227dc..9c0c320faba75 100644
--- a/test/integration/app-document/pages/_document.js
+++ b/test/integration/app-document/pages/_document.js
@@ -1,12 +1,6 @@
-import crypto from 'crypto'
+import flush from 'styled-jsx/server'
 import Document, { Head, Main, NextScript } from 'next/document'
 
-const cspHashOf = (text) => {
-  const hash = crypto.createHash('sha256')
-  hash.update(text)
-  return `'sha256-${hash.digest('base64')}'`
-}
-
 export default class MyDocument extends Document {
   static async getInitialProps (ctx) {
     let options
@@ -26,33 +20,27 @@ export default class MyDocument extends Document {
       }
     }
 
+    const { styleNonce, scriptNonce } = ctx
+
     const result = ctx.renderPage(options)
+    const styles = flush({ nonce: styleNonce })
 
-    return { ...result, customProperty: 'Hello Document', withCSP: ctx.query.withCSP }
+    return { ...result, styles, styleNonce, scriptNonce, customProperty: 'Hello Document', withViolation: ctx.query.withViolation }
   }
 
   render () {
-    let csp
-    switch (this.props.withCSP) {
-      case 'hash':
-        csp = `default-src 'self'; script-src 'self' ${cspHashOf(NextScript.getInlineScriptSource(this.props))}; style-src 'self' 'unsafe-inline'`
-        break
-      case 'nonce':
-        csp = `default-src 'self'; script-src 'self' 'nonce-test-nonce'; style-src 'self' 'unsafe-inline'`
-        break
-    }
-
     return (
       <html>
-        <Head nonce='test-nonce'>
-          {csp ? <meta httpEquiv='Content-Security-Policy' content={csp} /> : null}
-          <style>{`body { margin: 0 } /* custom! */`}</style>
-        </Head>
+        <Head />
         <body className='custom_class'>
+          <script type='text/javascript' dangerouslySetInnerHTML={{ __html: "console.log('logged')" }} nonce={this.props.scriptNonce} crossOrigin='anonymous' />
+          <style nonce={this.props.styleNonce}>{`p { font-size: 50px;}`}</style>
+          <style jsx>{`p { color: blue }`}</style>
+          { this.props.withViolation ? (<style>{`p { color: red }`}</style>) : '' }
           <p id='custom-property'>{this.props.customProperty}</p>
           <p id='document-hmr'>Hello Document HMR</p>
           <Main />
-          <NextScript nonce='test-nonce' />
+          <NextScript />
         </body>
       </html>
     )
diff --git a/test/integration/app-document/pages/inline.js b/test/integration/app-document/pages/inline.js
new file mode 100644
index 0000000000000..1dc9f15745ca1
--- /dev/null
+++ b/test/integration/app-document/pages/inline.js
@@ -0,0 +1,3 @@
+export default () => <div>
+  <script type='text/javascript' dangerouslySetInnerHTML={{ __html: "console.log('logged')" }} />
+</div>
diff --git a/test/integration/app-document/test/csp.js b/test/integration/app-document/test/csp.js
index 8fa0cbea697e0..84827db355ef5 100644
--- a/test/integration/app-document/test/csp.js
+++ b/test/integration/app-document/test/csp.js
@@ -4,17 +4,26 @@ import webdriver from 'next-webdriver'
 
 export default (context, render) => {
   describe('With CSP enabled', () => {
-    it('should load inline script by hash', async () => {
-      const browser = await webdriver(context.appPort, '/?withCSP=hash')
+    it('load without violations', async () => {
+      const browser = await webdriver(context.appPort, '/')
       const errLog = await browser.log('browser')
+      const nonce = await browser.elementByCss('meta[property="csp-nonce"]').getAttribute('content')
+      expect(nonce).toMatch(/\w+=/)
       expect(errLog.filter((e) => e.source === 'security')).toEqual([])
       browser.close()
     })
 
-    it('should load inline script by nonce', async () => {
-      const browser = await webdriver(context.appPort, '/?withCSP=nonce')
+    it('CSP should fail with inline styles', async () => {
+      const browser = await webdriver(context.appPort, '/?withViolation=true')
       const errLog = await browser.log('browser')
-      expect(errLog.filter((e) => e.source === 'security')).toEqual([])
+      expect(errLog.filter((e) => e.source === 'security')[0].level).toEqual('SEVERE')
+      browser.close()
+    })
+
+    it('CSP should fail when inline script', async () => {
+      const browser = await webdriver(context.appPort, '/inline')
+      const errLog = await browser.log('browser')
+      expect(errLog.filter((e) => e.source === 'security')[0].level).toEqual('SEVERE')
       browser.close()
     })
   })
diff --git a/test/integration/app-document/test/rendering.js b/test/integration/app-document/test/rendering.js
index 100faa5141c66..43829d5c88f0f 100644
--- a/test/integration/app-document/test/rendering.js
+++ b/test/integration/app-document/test/rendering.js
@@ -25,12 +25,11 @@ export default function ({ app }, suiteName, render, fetch) {
         expect($('#custom-property').text() === 'Hello Document')
       })
 
-      test('It adds nonces to all scripts and preload links', async () => {
+      test('It adds nonces to all styles and preload links', async () => {
         const $ = await get$('/')
-        const nonce = 'test-nonce'
         let noncesAdded = true
-        $('script, link[rel=preload]').each((index, element) => {
-          if ($(element).attr('nonce') !== nonce) noncesAdded = false
+        $('stlyes, script, link[rel=preload]').each((index, element) => {
+          if (!/^\w+=$/.test($(element).attr('nonce')) && $(element).attr('id') !== '__NEXT_DATA__') noncesAdded = false
         })
         expect(noncesAdded).toBe(true)
       })
@@ -39,7 +38,7 @@ export default function ({ app }, suiteName, render, fetch) {
         const $ = await get$('/')
         const crossOrigin = 'anonymous'
         $('script, link[rel=preload]').each((index, element) => {
-          expect($(element).attr('crossorigin') === crossOrigin).toBeTruthy()
+          expect($(element).attr('crossorigin') === crossOrigin || $(element).attr('id') === '__NEXT_DATA__').toBeTruthy()
         })
       })
 
diff --git a/test/integration/babel/next.config.js b/test/integration/babel/next.config.js
new file mode 100644
index 0000000000000..958b0d906af15
--- /dev/null
+++ b/test/integration/babel/next.config.js
@@ -0,0 +1,3 @@
+module.exports = {
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';"
+}
diff --git a/test/integration/basic/next.config.js b/test/integration/basic/next.config.js
index 35dcf0f6b8744..78e903a8b076e 100644
--- a/test/integration/basic/next.config.js
+++ b/test/integration/basic/next.config.js
@@ -1,4 +1,5 @@
 module.exports = {
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';",
   onDemandEntries: {
     // Make sure entries are not getting disposed.
     maxInactiveAge: 1000 * 60 * 60
diff --git a/test/integration/config/next.config.js b/test/integration/config/next.config.js
index a709be300bdea..01617ef87c196 100644
--- a/test/integration/config/next.config.js
+++ b/test/integration/config/next.config.js
@@ -14,6 +14,7 @@ module.exports = withCSS(withSass({
   publicRuntimeConfig: {
     staticFolder: '/static'
   },
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';",
   webpack (config, {buildId}) {
     // When next-css is `npm link`ed we have to solve loaders from the project root
     const nextLocation = path.join(require.resolve('next/package.json'), '../')
diff --git a/test/integration/custom-server/next.config.js b/test/integration/custom-server/next.config.js
index 4acb43c2e4b45..a996fd846b50a 100644
--- a/test/integration/custom-server/next.config.js
+++ b/test/integration/custom-server/next.config.js
@@ -3,5 +3,6 @@ module.exports = {
     // Make sure entries are not getting disposed.
     maxInactiveAge: 1000 * 60 * 60
   },
-  generateEtags: process.env.GENERATE_ETAGS === 'true'
+  generateEtags: process.env.GENERATE_ETAGS === 'true',
+  contentSecurityPolicy: "default-src 'none'; script-src //127.0.0.1 'nonce-{script-nonce}' 'strict-dynamic' 'unsafe-inline' http: https:; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src //127.0.0.1 'self';img-src //127.0.0.1 'self';"
 }
diff --git a/test/integration/dist-dir/next.config.js b/test/integration/dist-dir/next.config.js
index db58ee17b506d..6b984cf005054 100644
--- a/test/integration/dist-dir/next.config.js
+++ b/test/integration/dist-dir/next.config.js
@@ -1,4 +1,5 @@
 module.exports = {
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';",
   onDemandEntries: {
     // Make sure entries are not getting disposed.
     maxInactiveAge: 1000 * 60 * 60
diff --git a/test/integration/export/next.config.js b/test/integration/export/next.config.js
index d4cffa6a1c8c8..f98e3996dc94f 100644
--- a/test/integration/export/next.config.js
+++ b/test/integration/export/next.config.js
@@ -2,6 +2,7 @@ const {PHASE_DEVELOPMENT_SERVER} = require('next-server/constants')
 
 module.exports = (phase) => {
   return {
+    contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';",
     distDir: phase === PHASE_DEVELOPMENT_SERVER ? '.next-dev' : '.next',
     exportPathMap: function () {
       return {
diff --git a/test/integration/filesystempublicroutes/next.config.js b/test/integration/filesystempublicroutes/next.config.js
index 7e9b9ec9e4ddd..75437e87a51c0 100644
--- a/test/integration/filesystempublicroutes/next.config.js
+++ b/test/integration/filesystempublicroutes/next.config.js
@@ -4,6 +4,7 @@ module.exports = {
     maxInactiveAge: 1000 * 60 * 60
   },
   useFileSystemPublicRoutes: false,
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';",
   exportPathMap () {
     return {
       '/exportpathmap-route': {page: '/exportpathmap-route'}
diff --git a/test/integration/lambdas/next.config.js b/test/integration/lambdas/next.config.js
index a4676bfc45b50..903ce81403a51 100644
--- a/test/integration/lambdas/next.config.js
+++ b/test/integration/lambdas/next.config.js
@@ -3,5 +3,6 @@ module.exports = {
     // Make sure entries are not getting disposed.
     maxInactiveAge: 1000 * 60 * 60
   },
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';",
   lambdas: true
 }
diff --git a/test/integration/ondemand/next.config.js b/test/integration/ondemand/next.config.js
index bf398f938a3f6..f4ab6899b8dc3 100644
--- a/test/integration/ondemand/next.config.js
+++ b/test/integration/ondemand/next.config.js
@@ -1,5 +1,6 @@
 module.exports = {
   onDemandEntries: {
     maxInactiveAge: 1000 * 5
-  }
+  },
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';"
 }
diff --git a/test/integration/page-extensions/next.config.js b/test/integration/page-extensions/next.config.js
index eddd33b8bd573..24743f7ee021e 100644
--- a/test/integration/page-extensions/next.config.js
+++ b/test/integration/page-extensions/next.config.js
@@ -3,5 +3,6 @@ module.exports = withTypescript({
   onDemandEntries: {
     // Make sure entries are not getting disposed.
     maxInactiveAge: 1000 * 60 * 60
-  }
+  },
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';"
 })
diff --git a/test/integration/production-config/next.config.js b/test/integration/production-config/next.config.js
index 4d8a001d1d991..1ac044b305d65 100644
--- a/test/integration/production-config/next.config.js
+++ b/test/integration/production-config/next.config.js
@@ -6,6 +6,7 @@ module.exports = withCSS(withSass({
     // Make sure entries are not getting disposed.
     maxInactiveAge: 1000 * 60 * 60
   },
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';",
   webpack (config, {buildId}) {
     // When next-css is `npm link`ed we have to solve loaders from the project root
     const nextLocation = path.join(require.resolve('next/package.json'), '../')
diff --git a/test/integration/production/next.config.js b/test/integration/production/next.config.js
index 35dcf0f6b8744..317d36425d416 100644
--- a/test/integration/production/next.config.js
+++ b/test/integration/production/next.config.js
@@ -2,5 +2,6 @@ module.exports = {
   onDemandEntries: {
     // Make sure entries are not getting disposed.
     maxInactiveAge: 1000 * 60 * 60
-  }
+  },
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';"
 }
diff --git a/test/integration/production/test/index.test.js b/test/integration/production/test/index.test.js
index 757a7c6053688..46fe6d6c7e67c 100644
--- a/test/integration/production/test/index.test.js
+++ b/test/integration/production/test/index.test.js
@@ -241,6 +241,7 @@ describe('Production Usage', () => {
       // Let the browser to prefetch the page and error it on the console.
       await waitFor(3000)
       const browserLogs = await browser.log('browser')
+      console.log(browserLogs) // Only here to debug Azure
       let foundLog = false
       browserLogs.forEach((log) => {
         if (log.message.match(/\/no-such-page\.js - Failed to load resource/)) {
diff --git a/test/integration/production/test/security.js b/test/integration/production/test/security.js
index 5d0621e8ef283..8c44568efd2cd 100644
--- a/test/integration/production/test/security.js
+++ b/test/integration/production/test/security.js
@@ -18,6 +18,13 @@ async function checkInjected (browser) {
 
 module.exports = (context) => {
   describe('With Security Related Issues', () => {
+    it('CSP should load without violations', async () => {
+      const browser = await webdriver(context.appPort, '/')
+      const errLog = await browser.log('browser')
+      expect(errLog.filter((e) => e.source === 'security')).toEqual([])
+      browser.close()
+    })
+
     it('should only access files inside .next directory', async () => {
       const buildId = readFileSync(join(__dirname, '../.next/BUILD_ID'), 'utf8')
 
diff --git a/test/integration/size-limit/next.config.js b/test/integration/size-limit/next.config.js
index ed457cd774327..9f8610f22f464 100644
--- a/test/integration/size-limit/next.config.js
+++ b/test/integration/size-limit/next.config.js
@@ -8,6 +8,7 @@ module.exports = {
     }))
     return config
   },
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';",
   onDemandEntries: {
     // Make sure entries are not getting disposed.
     maxInactiveAge: 1000 * 60 * 60
diff --git a/test/integration/with-router/next.config.js b/test/integration/with-router/next.config.js
new file mode 100644
index 0000000000000..958b0d906af15
--- /dev/null
+++ b/test/integration/with-router/next.config.js
@@ -0,0 +1,3 @@
+module.exports = {
+  contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'nonce-{style-nonce}' 'unsafe-inline';connect-src 'self';img-src 'self';"
+}