-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for nonce or hash value [enhancment] #1011
Comments
I've created a reference implementation on the I'll test a bit more with this and create a PR for it when it's good enough. Hash support is not really applicable here AFAICT, as it requires computing a hash for the known script and whitelisting that in your CSP. |
I am really looking forward to this feature as it would enable working well with Nuxt Image & Nuxt Security :) |
Hey @pi0 could you take a look at it? It would be really useful to have this feature. Thomas is doing an amazing work in the development of Nuxt Security features and now prepared a feature for Nuxt Image that would help not only in the case of Nuxt security, but also for other projects as well :) |
Yes Team Please do check and if everything looks good then proceed to merge. |
I think this issue could be closed as the PR was merged :) |
I don't think that this issue is resolved fully yet. The |
Specifzing the
This will not work, even when the page specifies Note that you only see a CSP error, when the |
Note that the error only occurs during SSR. The reason is the following line: image/src/runtime/components/nuxt-img.ts Line 153 in 2b6a877
|
A workaround could be to attach the event listener in the |
Looking for this support, any plans to address soon? Currently having issues when trying to implement a CSP policy:
|
Recently I added Nuxt Security in a Project where i am fetching data from an API URL http://127.0.0.1:8000/api/blog/post/27
i am implementing Nuxt Image Module and While displaying image
<NuxtImg crossorigin="anonymous" :src="postDetail.post_image" />
It throws an error (only on Firefox, doesn't throw error on chrome and edge)
which i fixed using below settings
But it is considered a security risk, as it can open the door to XSS attacks. It's generally recommended to avoid using 'unsafe-inline' whenever possible. I discussed this matter with Nuxt Security and they recommend to use nonce or hash value. They also said that unfortunately Nuxt Image doesnt support nonce or hash so there is no secure way. You can find the discussion here Baroshem/nuxt-security#218
The text was updated successfully, but these errors were encountered: