Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP violation when directive set to false #432

Closed
cesxhin opened this issue Apr 23, 2024 · 5 comments · Fixed by #429
Closed

CSP violation when directive set to false #432

cesxhin opened this issue Apr 23, 2024 · 5 comments · Fixed by #429
Assignees
@vejja
Labels
bug Something isn't working

Comments

@cesxhin
Copy link

cesxhin commented Apr 23, 2024

image

Version

nuxt-security: v1.3.2
nuxt: v3.11.2

{
    [...]
    "@nuxt/devtools": "1.2.0",
    "@vueuse/nuxt": "10.9.0",
    "vue-router": "4.3.2",
    "vue": "3.4.24",
    "nuxt": "3.11.2",
    "nuxt-security": "^1.3.2",
    [...]
}

Reproduction

https://codesandbox.io/p/live/833607a5-4e18-4517-99f3-552549b9b9dd

With code sandbox it would seem to work well but on my PC it doesn't.

I cleaned .nuxt, node_modules and package-lock and reinstalled everything and same result.

I cannot share the entire code which is confidential.
This is the nuxt-security configuration:

export default defineNuxtConfig({
[...]
 modules: [
    [...]
    'nuxt-security'
    [...]
],
 security: {
        headers:{
            crossOriginEmbedderPolicy: process.env.NODE_ENV === 'development' ? 'unsafe-none' : 'require-corp',
            permissionsPolicy: {
              fullscreen: 'self'
            },
            contentSecurityPolicy: {
                'upgrade-insecure-requests': !(process.env.NODE_ENV === 'development'),
                'img-src': false
            },
        }
    }
[...]
})

Steps to reproduce

Set any value inside contentSecurityPolicy.

What is Expected?

Not show errors of script-src and hash validation.

What is actually happening?

Show errors of script-src and hash validation.
@cesxhin cesxhin added the bug Something isn't working label Apr 23, 2024
@vejja
Copy link
Collaborator

vejja commented Apr 23, 2024

@cesxhin bug confirmed, can reproduce

Regression introduced by #408 in function setNonceInCsp
Blaming 3248ea1#diff-26212f23d270802b4b1588992c6125c83a6c59a138cc290b0017f01151716a1aR54

Will fix
Thanks for the report

@vejja
Copy link
Collaborator

vejja commented Apr 23, 2024

@Baroshem PR #429 fixes, would you like a temporary patch for this one first ?

@Baroshem
Copy link
Owner

@vejja

I think we can waint until the release of the next major with your PR.

I want to look at it this week to release preferably on thursday a new version if that is ok with you :)

@vejja
Copy link
Collaborator

vejja commented Apr 23, 2024

Sounds good to me
@cesxhin the regression is on boolean values for 'upgrade-insecure-requests' and 'img-src', which you are trying to set to false.
Before we fix on Thursday, you could use { 'img-src': ["'none'"] }, and maybe live with the default for upgrade-insecure-requests ?

@vejja vejja changed the title Refused to load the script _nuxt/@vite/client CSP violation when directive set to false Apr 23, 2024
@vejja vejja mentioned this issue Apr 23, 2024
Merged
6 tasks
@vejja vejja self-assigned this Apr 23, 2024
@vejja vejja mentioned this issue Apr 23, 2024
Closed
@cesxhin
Copy link
Author

cesxhin commented Apr 23, 2024

Sounds good to me @cesxhin the regression is on boolean values for 'upgrade-insecure-requests' and 'img-src', which you are trying to set to false. Before we fix on Thursday, you could use { 'img-src': ["'none'"] }, and maybe live with the default for upgrade-insecure-requests ?

Thanks for the immediate replies.

For the moment I have set the version v1.2.2 and I wait when they release.
I'm in no hurry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vejja vejja

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(core): unified router context Baroshem/nuxt-security
3 participants
@vejja @cesxhin @Baroshem