Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: link script in head for CSP 'self' compliance in v3 #266

Closed
dargmuesli opened this issue May 15, 2024 · 4 comments · Fixed by #268
Closed

feat: link script in head for CSP 'self' compliance in v3 #266

dargmuesli opened this issue May 15, 2024 · 4 comments · Fixed by #268
Labels
enhancement New feature or request

Comments

@dargmuesli
Copy link

Is your feature request related to a problem? Please describe.

I'd like to not have any inline scripts to enforce a strict Content Security Policy.

Describe the solution you'd like

The color-mode script should not be inlined as done here

color-mode/src/runtime/nitro-plugin.ts

Line 7 in 65c90d4

htmlContext.head.push(`<script>${script}</script>`)
but instead be an external file that is linked.

Describe alternatives you've considered

Set script-src: 'unsafe-inline' (which is unsafe)

Additional context

This was previously done for Nuxt 2 here:

color-mode/src/runtime/nitro-plugin.ts

Line 7 in 65c90d4

htmlContext.head.push(`<script>${script}</script>`)

@dargmuesli dargmuesli added the enhancement New feature or request label May 15, 2024
@gregmsanderson
Copy link

Ah perhaps this is the issue I'm having too.

I noticed I was getting "Refused to execute inline script because it violates the following Content Security Policy directive" errors in the console. After commenting out the @nuxtjs/color-mode module those went away.

I tried keeping the color module and commented out nuxt-security. Again the error went away (naturally, as then there was no CSP to check!).

So it seems that using nuxt-security with its default options (well, slightly modified to get dev tools working) causes the color mode to not work.

@dargmuesli dargmuesli mentioned this issue Jun 6, 2024
Open
@Gerbuuun
Copy link
Contributor

After my investigation, this seems to be the culprit of the problems I'm having. (described in #228 and #267)
In development it seems to work just fine. But after prerendering pages, nuxt-security applies nonce values on everything.
Because there is a nonce value on the color-mode script even with unsafe-inline it won't execute.
This is only the case with prerendered pages. SSR works just fine.

@Gerbuuun
Copy link
Contributor

Gerbuuun commented Jun 22, 2024
edited
Loading

Ok I went deep into @nuxtjs/color-mode and nuxt-security and have found the bug.

  • nuxt-security uses a regexp to find inline scripts which have no hash created for them yet.
  • The minified script script.min.js has a newline character at the end.

It turns out that the newline breaks the detection from nuxt-security and as such the script does not receive a hash and the CSP will block it.

Now I don't know which of the two need to be fixed (in my opinion probably both right?)
The minified script does not need a newline at the end
nuxt-security inline script detection should not break when a newline is inside the script

edit: @Baroshem what do you think about this?

This was referenced Jun 22, 2024
Merged
Closed
@Baroshem
Copy link

The Nuxt Security part was fixed. Thanks for reporting that :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: trim minified script Gerbuuun/color-mode
4 participants
@dargmuesli @gregmsanderson @Gerbuuun @Baroshem