h3 icon indicating copy to clipboard operation
h3 copied to clipboard
verified publisher icon unjs

CSP utils

Open pi0 opened this issue 3 years ago • 10 comments

https://github.com/nuxt/nuxt.js/issues/11793

(we probably do need to add this partially to unjs/h3)

pi0 avatar Apr 12 '22 16:04 pi0

Is this part of the roadmap for one of the next releases?

What would otherwise be a good entry point to start working on this, if one doesn't have any experience with this project so far?

fkammer avatar Jan 11 '23 17:01 fkammer

Any news on this? Trying to avoid 'unsafe-inline' in my nuxt project and got here. Are there any plans on generating a nonce or hash per request if SSR'd / build if SSG'd?

just-maik avatar Feb 16 '23 14:02 just-maik

+1, I will not use nuxt for chrome extension building until this issue be fixed.

terwer avatar Feb 16 '23 14:02 terwer

This is an important feature to have indeed. Moving to h3 as probably finally be a util from h3, served by nitro/nuxt renderers.

For nuxt, you can try nuxt-security module in meanwhile. (Notice: I did not audited the module and it only adds general CSP rules - ie not preventing bad script execution from same origin)

pi0 avatar Feb 16 '23 14:02 pi0

Any updates on this, please? nuxt-security uses "unsafe-inline", so is definitely not a secure option. If we do not have an end-to-end solution, is there at least a way to ensure that all script tags are added dynamically so that we can layer a custom solution on top of that by, for example, manually calculating hashes?

tnabil avatar Sep 27 '23 04:09 tnabil

Hey @tnabil, please include only the information in comments that are relevant to the repository you're posting to. Copy pasting to multiple similar issues across different repositories does slow things down due to unnecessary notifications. If you're affected by an already existing issue, please add a :+1: to the original post.

Regarding your question: nuxt-security includes unsafe-inline per default as it is required while https://github.com/vitejs/vite/issues/11862 is still unresolved. You can override that default if you wish. Also, nuxt-security allows to make use of nonces, which might be close enough to what you long for.

dargmuesli avatar Sep 27 '23 04:09 dargmuesli

@dargmuesli Actually, nonces do not work for us because we are deploying as a static app, so we are looking to use hashes. I believe the main issue is that Nuxt uses script tags with a src attribute, which is not compatible with the use of 'strict-dynamic'. For example: <script type="module" src="/_nuxt/entry.75c7075c.js" crossorigin=""></script> Whereas the recommended approach (e.g. here) is to load scripts dynamically. Is there any workaround to achieve this now? Note that I'm yet to tackle the CSS side of things.

tnabil avatar Sep 27 '23 05:09 tnabil

Please continue the Nuxt related conversation in https://github.com/nuxt/nuxt/issues/11793.

dargmuesli avatar Sep 27 '23 05:09 dargmuesli

@baroshem, would you be interested in picking this up?

pi0 avatar Jun 04 '25 22:06 pi0

Hey @pi0

Yes, I can pick this up after I implement CSP in Nuxt :)

Baroshem avatar Jun 06 '25 10:06 Baroshem