vue icon indicating copy to clipboard operation
vue copied to clipboard

Published 20 hours ago verified publisher icon vuejs

feat(ssr): add csp nonce to all elements

Open blake-newman opened this issue 4 years ago • 4 comments

What kind of change does this PR introduce? (check at least one)

  • [ ] Bugfix
  • [x] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Build-related changes
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [ ] Yes
  • [x] No

If yes, please describe the impact and migration path for existing applications:

The PR fulfills these requirements:

  • [x] It's submitted to the dev branch for v2.x (or to a previous version branch), not the master branch
  • [x] When resolving a specific issue, it's referenced in the PR's title (e.g. fix #xxx[,#xxx], where "xxx" is the issue number)
  • [x] All tests are passing: https://github.com/vuejs/vue/blob/dev/.github/CONTRIBUTING.md#development-setup
  • [x] New/updated tests are included

Other information:

CSPv3 allows simple nonce based policies and directives such as stict-dynamic. Declaring a policy such as:

Content-Security-Policy:
  object-src 'none';
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  base-uri 'none';
  report-uri https://your-report-collector.example.com/

Would not work with current nonce support with features such as resource hints. This policy creates errors such as

Refused to load the script 'http://localhost:8082/manifest.js' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-68f9bed4d31fcde221e7b5e871860ff2' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' http:". 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

This is because not all rendered elements have an associated nonce.

To support stricter policies that only work scripts / resource hinting add nonce attribute to all element that could be affected via a nonce based policy.

blake-newman avatar Dec 16 '20 12:12 blake-newman

@posva is this good to merge - could be useful for many people. I forgot about this PR myself as we forked and patched the change.

blake-newman avatar Jun 23 '21 08:06 blake-newman

any update?

eliasjtg avatar Feb 22 '22 19:02 eliasjtg

@posva @yyx990803

Is it possible to merge this as part of 2.7 was planning to upgrade to this version and realised this PR was still left open. My bad should have nudged this sooner

blake-newman avatar Sep 12 '22 11:09 blake-newman

@yyx990803 i've updated this to the main branch

blake-newman avatar Nov 28 '22 14:11 blake-newman