-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Entry CSS integrity issues on CDN #528
Comments
Hi @ptdev |
Hi @vejja Thanks for the quick reply. But I'm not adding this file (or any CSS) manually anywhere. All I have is some files on the css property inside nuxt.config.ts. So I'm guessing that entry.*.css is automatically added by nuxt (?) |
Ah ok, I think I understand: you are building the website HTML for a given domain, and then manually moving only the CSS and JS files to another CDN, is that right ? |
Hi, Yes, and we are using We're not copying any files to the CDN host. |
Ok, very clear. |
Hi again, Was looking further into this and it appears as it will definitely most likely be a nuxt or vite issue. I've opened an issue on Nuxt's repo with a better repro link and description of the issue. Closing here, thanks for the hints 👍 |
Thanks once again @vejja for jumping into this 💚 |
FYI @ptdev - I could reproduce and confirm the issue. The upgrade to Vite 5.4.7 does not solve the problem. As far as providing an immediate workaround, I can only see 2 options: |
@ptdev: Quick update on this one |
Ooops sorry @danielroe, talked too fast here. Unless I'm missing something I believe that :
|
There is one more place we need to update it... |
See nuxt/nuxt#29138. I'd appreciate if you have a look in the rest of the renderer file to see if there are other places we should be adding |
From a security perspective, subresource integrity hashes are only valid
The W3C RFC provides that other tags may be added to the list in the future, but it is not part of the standard currently so we only add the In summary we don't need |
@danielroe : To be clear I believe it's only on |
Hi, Thanks for the updates but the issue still appears to remain the same on my end. 😞 I forked the original reproduction that was posted on the issue at Nuxt's repo: https://stackblitz.com/edit/nuxt-starter-d6e555?file=README.txt Ran See screenshot: Only when navigating from another page, the crossorigin attribute is correctly defined. |
Yes, you'll need to wait for nuxt/nuxt#29138 to be released first 🙏 |
Daniel, not sure if feasible but if yes - would you mind backporting it to 3.14 ? |
for sure! I'm backporting all non-breaking changes (features as well as bugfixes) |
Hi @ptdev |
Hi @vejja Yes, we've updated to 3.14 and can confirm that we can now use a CDN through the cdnUrl parameter without any issues. Thanks for everything, cheers! 👍 |
Hi,
We're trying to add a CDN to our project but once this CSS gets served from the CDN we get the following security issue:
Subresource Integrity: The resource 'https://staging-cdn.***********.com/_nuxt/entry.D43X-ZjV.css' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has been blocked because the integrity cannot be enforced.
For some reason, only this single entry.*.css gives the error. And after looking at the page source, it appears as this may be because the link tag for this CSS file doesn't have
crossorigin
parameter as the rest of the files (?). See screenshot:Now, I'm not sure if this is the actual cause but was just wondering if there is a reason that this particular CSS link tag doesn't have the crossorigin parameter in it, or if there is any option to enable it.
Thank you, cheers.
The text was updated successfully, but these errors were encountered: