Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

feat: link script in head for CSP 'self' compliance in v3 #266

Closed
dargmuesli opened this issue May 15, 2024 · 4 comments · Fixed by #268
Closed

feat: link script in head for CSP 'self' compliance in v3 #266

dargmuesli opened this issue May 15, 2024 · 4 comments · Fixed by #268
Labels
enhancement New feature or request

Comments

@dargmuesli
Copy link

Is your feature request related to a problem? Please describe.

I'd like to not have any inline scripts to enforce a strict Content Security Policy.

Describe the solution you'd like

The color-mode script should not be inlined as done here

color-mode/src/runtime/nitro-plugin.ts

Line 7 in 65c90d4

htmlContext.head.push(`<script>${script}</script>`)
but instead be an external file that is linked.

Describe alternatives you've considered

Set script-src: 'unsafe-inline' (which is unsafe)

Additional context

This was previously done for Nuxt 2 here:

color-mode/src/runtime/nitro-plugin.ts

Line 7 in 65c90d4

htmlContext.head.push(`<script>${script}</script>`)

@dargmuesli dargmuesli added the enhancement New feature or request label May 15, 2024
@gregmsanderson
Copy link

Ah perhaps this is the issue I'm having too.

I noticed I was getting "Refused to execute inline script because it violates the following Content Security Policy directive" errors in the console. After commenting out the @nuxtjs/color-mode module those went away.

I tried keeping the color module and commented out nuxt-security. Again the error went away (naturally, as then there was no CSP to check!).

So it seems that using nuxt-security with its default options (well, slightly modified to get dev tools working) causes the color mode to not work.

@dargmuesli dargmuesli mentioned this issue Jun 6, 2024
Open
@Gerbuuun
Copy link
Contributor

After my investigation, this seems to be the culprit of the problems I'm having. (described in #228 and #267)
In development it seems to work just fine. But after prerendering pages, nuxt-security applies nonce values on everything.
Because there is a nonce value on the color-mode script even with unsafe-inline it won't execute.
This is only the case with prerendered pages. SSR works just fine.

@Gerbuuun
Copy link
Contributor

Gerbuuun commented Jun 22, 2024
edited
Loading

Ok I went deep into @nuxtjs/color-mode and nuxt-security and have found the bug.

  • nuxt-security uses a regexp to find inline scripts which have no hash created for them yet.
  • The minified script script.min.js has a newline character at the end.

It turns out that the newline breaks the detection from nuxt-security and as such the script does not receive a hash and the CSP will block it.

Now I don't know which of the two need to be fixed (in my opinion probably both right?)
The minified script does not need a newline at the end
nuxt-security inline script detection should not break when a newline is inside the script

edit: @Baroshem what do you think about this?

This was referenced Jun 22, 2024
Merged
Closed
@Baroshem
Copy link

The Nuxt Security part was fixed. Thanks for reporting that :)

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: trim minified script Gerbuuun/color-mode
4 participants
@dargmuesli @gregmsanderson @Gerbuuun @Baroshem