-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: make nonce implementation strict CSP compliant #256
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,6 @@ import { getRouteRules } from '#imports' | |
|
||
export type NonceOptions = { | ||
enabled: boolean; | ||
mode: 'renew' | 'check'; | ||
value: undefined | (() => string); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not sure about giving the developper a way to override crypto primitives which are vetted to be safe There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. IMO that's out of scope of this PR |
||
} | ||
|
||
|
@@ -16,26 +15,8 @@ export default defineEventHandler((event) => { | |
if (routeRules.security.nonce !== false) { | ||
const nonceConfig: NonceOptions = routeRules.security.nonce | ||
|
||
// See if we are checking the nonce against the current value, or if we are renewing the nonce value | ||
let nonce: string | undefined | ||
switch (nonceConfig?.mode) { | ||
case 'check': { | ||
nonce = event.context.nonce ?? getCookie(event, 'nonce') | ||
|
||
if (!nonce) { | ||
return sendError(event, createError({ statusCode: 401, statusMessage: 'Nonce is not set' })) | ||
} | ||
|
||
break | ||
} | ||
case 'renew': | ||
default: { | ||
nonce = nonceConfig?.value ? nonceConfig.value() : Buffer.from(crypto.randomUUID()).toString('base64') | ||
setCookie(event, 'nonce', nonce, { sameSite: true, secure: true }) | ||
event.context.nonce = nonce | ||
break | ||
} | ||
} | ||
const nonce = nonceConfig?.value ? nonceConfig.value() : Buffer.from(crypto.randomUUID()).toString('base64') | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd leave it to just the crypto primitive |
||
event.context.nonce = nonce | ||
|
||
// Set actual nonce value in CSP header | ||
csp = csp.replaceAll('{{nonce}}', nonce as string) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be fair, you can keep the nonce composable server-side.
It could be useful to expose the nonce to third-party modules when they run server-side, such as NuxtImg as you rightly pointed out.
and drop the useCookie part
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, this would then be the best solution: https://github.com/trijpstra-fourlights/nuxt-security/pull/1
as it allows the useNonce, even on SPA mode (although it will use the cookie in that case).
Interestingly enough, the
<img>
element does not have a nonce attribute according to mdn. So it doesn't apply there.