Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CSP violation when directive set to false #432

Closed
cesxhin opened this issue Apr 23, 2024 · 5 comments · Fixed by #429
Closed

CSP violation when directive set to false #432

cesxhin opened this issue Apr 23, 2024 · 5 comments · Fixed by #429
Assignees
@vejja
Labels
bug Something isn't working

Comments

@cesxhin
Copy link

cesxhin commented Apr 23, 2024

image

Version

nuxt-security: v1.3.2
nuxt: v3.11.2

{
    [...]
    "@nuxt/devtools": "1.2.0",
    "@vueuse/nuxt": "10.9.0",
    "vue-router": "4.3.2",
    "vue": "3.4.24",
    "nuxt": "3.11.2",
    "nuxt-security": "^1.3.2",
    [...]
}

Reproduction

https://codesandbox.io/p/live/833607a5-4e18-4517-99f3-552549b9b9dd

With code sandbox it would seem to work well but on my PC it doesn't.

I cleaned .nuxt, node_modules and package-lock and reinstalled everything and same result.

I cannot share the entire code which is confidential.
This is the nuxt-security configuration:

export default defineNuxtConfig({
[...]
 modules: [
    [...]
    'nuxt-security'
    [...]
],
 security: {
        headers:{
            crossOriginEmbedderPolicy: process.env.NODE_ENV === 'development' ? 'unsafe-none' : 'require-corp',
            permissionsPolicy: {
              fullscreen: 'self'
            },
            contentSecurityPolicy: {
                'upgrade-insecure-requests': !(process.env.NODE_ENV === 'development'),
                'img-src': false
            },
        }
    }
[...]
})

Steps to reproduce

Set any value inside contentSecurityPolicy.

What is Expected?

Not show errors of script-src and hash validation.

What is actually happening?

Show errors of script-src and hash validation.
@cesxhin cesxhin added the bug Something isn't working label Apr 23, 2024
@vejja
Copy link
Collaborator

vejja commented Apr 23, 2024

@cesxhin bug confirmed, can reproduce

Regression introduced by #408 in function setNonceInCsp
Blaming 3248ea1#diff-26212f23d270802b4b1588992c6125c83a6c59a138cc290b0017f01151716a1aR54

Will fix
Thanks for the report

@vejja
Copy link
Collaborator

vejja commented Apr 23, 2024

@Baroshem PR #429 fixes, would you like a temporary patch for this one first ?

@Baroshem
Copy link
Owner

@vejja

I think we can waint until the release of the next major with your PR.

I want to look at it this week to release preferably on thursday a new version if that is ok with you :)

@vejja
Copy link
Collaborator

vejja commented Apr 23, 2024

Sounds good to me
@cesxhin the regression is on boolean values for 'upgrade-insecure-requests' and 'img-src', which you are trying to set to false.
Before we fix on Thursday, you could use { 'img-src': ["'none'"] }, and maybe live with the default for upgrade-insecure-requests ?

@vejja vejja changed the title Refused to load the script _nuxt/@vite/client CSP violation when directive set to false Apr 23, 2024
@vejja vejja mentioned this issue Apr 23, 2024
Merged
6 tasks
@vejja vejja self-assigned this Apr 23, 2024
@vejja vejja mentioned this issue Apr 23, 2024
Closed
@cesxhin
Copy link
Author

cesxhin commented Apr 23, 2024

Sounds good to me @cesxhin the regression is on boolean values for 'upgrade-insecure-requests' and 'img-src', which you are trying to set to false. Before we fix on Thursday, you could use { 'img-src': ["'none'"] }, and maybe live with the default for upgrade-insecure-requests ?

Thanks for the immediate replies.

For the moment I have set the version v1.2.2 and I wait when they release.
I'm in no hurry.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@vejja vejja

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(core): unified router context Baroshem/security
3 participants
@vejja @cesxhin @Baroshem