nuxt-security icon indicating copy to clipboard operation
nuxt-security copied to clipboard
verified publisher icon Baroshem

Issue-618: SSG build fails if cdnUrl is relative path

Open TomHeinemeyer opened this issue 8 months ago • 7 comments

If the cdnUrl in the Nuxt config is not a valid url, e.g. a relative path like ./ a call to the URL constructor fails because it expects a valid url. In this case just the cdnUrl is used.

TomHeinemeyer avatar Apr 30 '25 21:04 TomHeinemeyer

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
nuxt-security ✅ Ready (Inspect) Visit Preview 💬 Add feedback Apr 30, 2025 9:20pm

vercel[bot] avatar Apr 30 '25 21:04 vercel[bot]

Are we sure a relative cdnURL is valid?

vejja avatar May 05 '25 17:05 vejja

Are we sure a relative cdnURL is valid?

In our deployment it works and Nuxt also doesn't complain. It is just prepended to the path of the assets, so an actual cdn URL will work as well as local path. In the end the browser will just try to load the assets from whatever we give it and it is our duty to provide a valid path.

TomHeinemeyer avatar May 05 '25 17:05 TomHeinemeyer

Hey,

Great work!

Would you be able to fix the linting? The only necessary changes are in lines 332 while others are not needed.

Apart from that, it is ready to be merged :)

Seems like linting wasn't enabled in my IDE, thanks for spotting this. I will push a fix soon 💪🏼

TomHeinemeyer avatar May 05 '25 17:05 TomHeinemeyer

@TomHeinemeyer The official Nuxt docs require an absolute URL https://nuxt.com/docs/api/nuxt-config#cdnurl

I'm not against supporting it if it works for you, however we would need to think carefully about not breaking things further down the line because the SRI hash map is defined relative to buildAssetsDir which itself could be based on cdnURL (but not always: see https://nuxt.com/docs/api/nuxt-config#buildassetsdir). Say you define cdnURL as '../foo', assuming your deployment environment deploys on https://example.com/bar, would we still resolve the sriHashes correctly ?

Would be really wonderful if you can include some test cases around this and also have a look at #615 to make sure both PRs do not conflict?

vejja avatar May 05 '25 17:05 vejja

@TomHeinemeyer The official Nuxt docs require an absolute URL https://nuxt.com/docs/api/nuxt-config#cdnurl

I'm not against supporting it if it works for you, however we would need to think carefully about not breaking things further down the line because the SRI hash map is defined relative to buildAssetsDir which itself could be based on cdnURL (but not always: see https://nuxt.com/docs/api/nuxt-config#buildassetsdir). Say you define cdnURL as '../foo', assuming your deployment environment deploys on https://example.com/bar, would we still resolve the sriHashes correctly ?

Would be really wonderful if you can include some test cases around this and also have a look at #615 to make sure both PRs do not conflict?

I see, wasn't aware of that. I was just thinking of the deployed application. I will try to make up some test cases for that and will also have a look into the other PR 👍🏼

TomHeinemeyer avatar May 05 '25 18:05 TomHeinemeyer

Hey @TomHeinemeyer

Have you maybe looked at it? :)

Baroshem avatar Jul 09 '25 06:07 Baroshem