search

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
738 stars 56 forks source link

Nonce is not set in 1.3.0 #413

Closed dogharrycatpotter closed 2 months ago

dogharrycatpotter commented 2 months ago

Version

nuxt-security: 1.3.0 nuxt: 3.11.1

Reproduction Link

n/a

Steps to reproduce

n/a

What is Expected?

The nuxt.config.ts file definition is below, and "nonce-${nonce}" is correctly set in the response.

  security: {
    headers: {
      contentSecurityPolicy: {
        'script-src': [
          "'self'",
          "'unsafe-inline'",
          "'strict-dynamic'",
          "'nonce-{{nonce}}'",
        ],

    …

    nonce: true
  }

What is actually happening?

The following error has occurred.

'ReferenceError: getResponseHeaders is not defined\n' +
      '    at setNonceInCsp (/**/project-name/node_modules/nuxt-security/dist/runtime/nitro/plugins/99-cspSsrNonce.mjs:36:21)\n' +
      '    at <anonymous> (/**/project-name/node_modules/nuxt-security/dist/runtime/nitro/plugins/99-cspSsrNonce.mjs:32:5)\n' +

This is probably caused by the lack of "getResponseHeaders" in the first line of src/runtime/nitro/plugins/99-cspSsrNonce.ts: import { defineNitroPlugin, getRouteRules, setResponseHeader } from '#imports'

Baroshem commented 2 months ago

@vejja

Could you take a look at it? I think we missed something in the latest release.

@dogharrycatpotter could you please remain at 1.2.X until the end of the week? I am currently off and wont be able to release a patch version but when I will be back, this is my top priority.

fujita-h commented 2 months ago

I'm in a similar situation and would like to provide information.

Nuxt started returning a 500 error, and at the same time the CSP nonce was not being expanded correctly. The error output from Nuxt is below, and this has started occurring since 1.3.0. After reverting to 1.2.1, the problem no longer occurred.

2024-04-04T04:02:15.798650645Z [nuxt] [request error] [unhandled] [500] The "list" argument must be an instance of SharedArrayBuffer, ArrayBuffer or ArrayBufferView.
2024-04-04T04:02:15.798705846Z   at TextDecoder.decode (node:internal/encoding:449:16)  
2024-04-04T04:02:15.798712046Z   at ./server/chunks/runtime.mjs:5802:67  
2024-04-04T04:02:15.798715846Z   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)  
2024-04-04T04:02:15.798720346Z   at async ./server/chunks/routes/renderer.mjs:292:3  
2024-04-04T04:02:15.798723846Z   at async Object.handler (./server/chunks/routes/renderer.mjs:29:22)  
2024-04-04T04:02:15.798727546Z   at async Object.handler (./server/chunks/runtime.mjs:3064:19)  
2024-04-04T04:02:15.798731146Z   at async Server.toNodeHandle (./server/chunks/runtime.mjs:3330:7)

I checked the location where the error occurred and found that it occurred in the code below that was corrected in #396. https://github.com/Baroshem/nuxt-security/blob/d0a3c3fd252f0c27b7010a03d78349be8d8261a4/src/runtime/nitro/plugins/03-subresourceIntegrity.ts#L25-L26

vejja commented 2 months ago

Fixing now, will patch

@fujita-h this seems to be a different issue Can you let me know which version of Nuxt you are using

fujita-h commented 2 months ago

@vejja got it. The environment that occurred is little complex, so I will open a new issue when I can reproduce it.

vejja commented 2 months ago

Hi @fujita-h I'm able to reproduce, with Nuxt 3.11.1 on my end Taking care of it

Baroshem commented 2 months ago

Released patch 1.3.1 with a fix for that from @vejja.

Please check if it works now :)