Baroshem
commented
3 months ago Hey, thanks for reporting this.
@vejja @huang-julien do you have some ideas about it? :)
Closed jackpercy-acl closed 2 months ago
Baroshem
commented
3 months ago Hey, thanks for reporting this.
@vejja @huang-julien do you have some ideas about it? :)
vejja
commented
3 months ago @jackpercy-acl : does it work if you don't use the runtime config and instead use the default nuxt.config.ts ?
jackpercy-acl
commented
3 months ago @vejja yes, it works fine if configuring only in nuxt.config.ts
vejja
commented
3 months ago Thanks @huang-julien looks like the runtime config is not picked up here ?
huang-julien
commented
3 months ago I'm not sure about that, I can't reproduce it
I may have to try reproduce it locally
jackpercy-acl
commented
3 months ago @huang-julien if you check the headers on the returned doc rather than logging render:response you will see the unset nonce.
I assume this beforeResponse hook is run after render:response which is when the CSP from the nuxt-security:headers hook is set on the response.
Version
nuxt-security: 1.2.2 nuxt: 3.11.1
Reproduction Link
https://stackblitz.com/edit/nuxt-security-missing-nonce?file=server%2Fplugins%2Fsecurity.ts
Steps to reproduce
nuxt-security:headershook to change CSP with Runtime Config as per docs'nonce-{{nonce}}'value in one of the CSP valuesWhat is Expected?
The CSP header should be transformed to include the actual nonce value.
What is actually happening?
The CSP value contains the exact string
'nonce-{{nonce}}'By adding some logging into the
nuxt-securitynitro plugins files, you can see that the custom CSP from the hook is being registered. However, when the plugin99-cspSsrNonce.tsruns, the CSP value it resolves and replaces the nonces in, is the default/nuxt.config.ts CSP.https://github.com/Baroshem/nuxt-security/blob/13a96a6e36989a277cb046b379bb65a251e04afc/src/runtime/nitro/plugins/99-cspSsrNonce.ts#L43
This is meaning we cannot do a combination of using runtime config in the CSP and nonces.