-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Right script-src parameter in Content-Security-Policy #136
Comments
Hey, Thank you for reporting this issue! I will take a look at it in the upcoming days :) |
I just talked about this during Nuxt Insiders meeting and we came up with some ideas on how this can be implemented. I will be working on it next week probably :) |
hello, did you fix that issue? |
Hey, not yet. I am working on it. Have been quite busy recently with other topics. If anyone would like to contribute to it, feel free to open a PR with the change :) |
Any updates on "As alternative script-src can include 'nonce-***' and the nonce must be injected as an attribute in nuxt-data script (for better security nonce must be randomize on every request, do not be constant)." |
Hey, not really. Recently, I did not have time to work on this feature. It is open for contributions for anyone who would like to tackle this. I will be able to come back to this earliest next week or the week after |
Thats no problem i cant contribute myself so i will wait for updates on this one. |
I've implemented nonce support for CSP in #171 You can test this directly from github by using: Then in your
For more information, refer to the updated documentation in the PR. |
@trijpstra-fourlights , your PR is super, thanks! I have written some comments in PR. What do you think about my suggestions? |
@alexbidenko1998 I've addressed your feedback and added a commit regarding your inline literal comment. |
@alexbidenko1998 @trijpstra-fourlights The feature has been merged and released in version 0.14.0. Thanks so much for this amazing contribution 💚 |
Problem description
At the moment, Content-Security-Policy header do not include
script-src
parameter. It means, that every script can be executives in user browser - and it is not secured. As a minimal solution I can propose:'script-src': ["'self'", "'unsafe-inline'"]
- it will be blockingeval
and unsecured scripts from other recourses, but it is not right.More secured solution is do not use
unsafe-inline
. But for thisnuxt-data
must be resolved by means ofnonce
orsha-***
. But I do not know how do it.Describe the solution you'd like
In ideal world
script-src
should include'sha-***'
ofnuxt-data
and automatically calculate it in every html rendering on server side.As alternative
script-src
can include'nonce-***'
and the nonce must be injected as an attribute innuxt-data
script
(for better securitynonce
must be randomize on every request, do not be constant).Additional context
In Next.js framework we just can add
<NextData nonce="next-data" />
component and injectnonce-next-data
inscript-src
- it is simple correct solution.The text was updated successfully, but these errors were encountered: