-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chore/2.0.0 #492
base: main
Are you sure you want to change the base?
Chore/2.0.0 #492
Changes from all commits
ff0ecfe
fad91ee
338be11
b7701f1
88dbb4c
2d0ae0a
4528880
765d7e1
23af05a
eb097d0
c38a710
2b0cf0f
a2425ce
0e3ab07
7811a00
b0b4a08
57ff90b
1a5ada9
e6df1ac
4993963
b133ed6
f613df5
a359071
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -245,43 +245,14 @@ Next, you need to configure your img tag to include the `crossorigin` attribute: | |
ℹ Read more about it [here](https://github.com/Baroshem/nuxt-security/issues/138#issuecomment-1497883915). | ||
:: | ||
|
||
## Using nonce with CSP for Nuxt Image | ||
## Nuxt Image | ||
|
||
Having securely configured images is crucial for modern web applications. Check out how to do it below: | ||
|
||
```ts | ||
// nuxt.config.ts | ||
|
||
security: { | ||
nonce: true, | ||
headers: { | ||
contentSecurityPolicy: { | ||
'img-src': ["'self'", 'data:', 'https:'], | ||
'script-src': [ | ||
"'self'", // backwards compatibility for older browsers that don't support strict-dynamic | ||
"'nonce-{{nonce}}'", | ||
"'strict-dynamic'" | ||
], | ||
'script-src-attr': ["'self'"] | ||
} | ||
} | ||
} | ||
``` | ||
|
||
And then configure `NuxtImg` like following: | ||
|
||
```vue | ||
<template> | ||
<NuxtImg src="https://localhost:8000/api/image/xyz" :nonce="nonce" /> | ||
</template> | ||
|
||
<script lang="ts" setup> | ||
const nonce = useNonce() | ||
</script> | ||
``` | ||
When using `<NuxtImg>` or `<NuxtPicture>`, an inline script will be used for error handling during SSR. | ||
This will lead to CSP issues if `unsafe-inline` is not allowed and the image fails to load. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hey @P4sca1 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The inline code will indeed be always the same, so using I calculated the hash that would be needed: echo -n "this.setAttribute('data-error', 1)" | openssl sha256 -binary | openssl base64
bwK6T5wZVTANitXbrTsel7kl/PyCjCd/Dq5Qoz3imjM= Using There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hey @P4sca1 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The |
||
Using nonces for inline event handlers is not supported, so currently there is no workaround. | ||
|
||
::alert{type="info"} | ||
ℹ Read more about it [here](https://github.com/Baroshem/nuxt-security/issues/218#issuecomment-1736940913). | ||
ℹ Read more about it [here](https://github.com/nuxt/image/issues/1011#issuecomment-2242761992). | ||
:: | ||
|
||
## Issue on Firefox when using IFrame | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
<template> | ||
<div> | ||
<h1>Server-only Nuxt-Island component</h1> | ||
<p>Nonce: <span id="server-nonce">{{ nonce }}</span></p> | ||
</div> | ||
</template> | ||
|
||
<script setup lang="ts"> | ||
const nonce = useNonce() | ||
</script> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<template> | ||
<div> | ||
Island Page | ||
<ServerComponent /> | ||
</div> | ||
</template> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
<template> | ||
<div> | ||
<h1>Server-only Nuxt-Island component</h1> | ||
<p>Nonce: <span id="server-nonce">{{ nonce }}</span></p> | ||
</div> | ||
</template> | ||
|
||
<script setup lang="ts"> | ||
const nonce = useNonce() | ||
</script> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
<template> | ||
<div> | ||
<ServerComponent /> | ||
</div> | ||
</template> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this section should not be removed
The vite nonce is only inserted in dev mode, if I understand correctly
@dargmuesli is this true?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think all offending actions are only executed in dev mode as well. Styles should not be added through JavaScript by Nuxt in production as far as I know. They're just referenced as compiled CSS content in production, at least without changes to any configuration.
I have the fix contained in this PR running for a few of my sites for quite some time now and have not observed any issues (even with close monitoring done by Sentry).
Maybe @danielroe could quickly confirm or refute that style loading through JavaScript only happens in dev mode by vite and, by default, not by Nuxt in production?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure we had to use
unsafe-inline
in styles in our own doc website, because @nuxt/ui uses pinceau under the hood, and pinceau modifies styles dynamically at runtime via Javascript.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, but that's somewhat 3rd party, no? The section talks about "Nuxt's mechanism for Client-Side hydration of styles" so maybe the wording should be changed then to reflect the actual reason for the recommendation better. I'd still say the recommendation doesn't really need to be that prominent for the pinceau use case though, but that's just an opinion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll unsubscribe from this PR to reduce noise, just tag me again if you need me