adding nuxt-security ^1.3.0 without any config leads to 500 (Netlify) and script errors (localhost) - expected?

[denisenepraunig]

Hello, I am getting started with nuxt-security.

TLDR;

I just installed the latest nuxt and nuxt-security, locally I get some warnings in the console but the site works, deployed to Netlify I get a 500.

❓ Without touching anything, I am wondering if this is the expected behaviour?

Source code is here: https://github.com/denisenepraunig/nuxt-security-test

Deployed to Netlify - 500 https://nuxt-security-test.netlify.app/

I've created a project from scratch with:

npx nuxi@latest init nuxt-security-test
npx nuxi@latest module add security

which results in this package.json - dependencies:

"dependencies": {
  "nuxt": "^3.11.2",
  "nuxt-security": "^1.3.0",
  "vue": "^3.4.21",
  "vue-router": "^4.3.0"
}

nuxt.config.ts:

export default defineNuxtConfig({
  devtools: { enabled: true },
  modules: ["nuxt-security"]
})

Localhost script errors but works

When I run it locally npm run dev I see this:

Refused to load the script 'http://localhost:3002/_nuxt/@vite/client' because it violates the following Content Security Policy directive: "script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-{{nonce}}'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

localhost/:9 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-{{nonce}}'". Either the 'unsafe-inline' keyword, a hash ('sha256-ywX1jMWBvLA4vnpd6j5yBtD3YAo2d1bvP29VM4VZ4so='), or a nonce ('nonce-...') is required to enable inline execution.

localhost/:19 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-{{nonce}}'". Either the 'unsafe-inline' keyword, a hash ('sha256-ChValuzd0cyaDyQRGsHBMsFX2hzljF1GK3M80fFrnAk='), or a nonce ('nonce-...') is required to enable inline execution.

Netlify 500

When I deploy to Netlify I get a 500

nuxt-security-test.netlify.app/:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'nonce-{{nonce}}'". Either the 'unsafe-inline' keyword, a hash ('sha256-gwEUKwLFu0zI6vy2K6p/qLT9Tc+uykTl+06eLad4k4I='), or a nonce ('nonce-...') is required to enable inline execution.
nuxt-security-test.netlify.app/:1 
 Failed to load resource: the server responded with a status of 500 ()

❓ Is this the expected behaviour?

[vejja]

Hi @denisenepraunig This is not normal. We are facing a dependency regression with 1.3.0, we will patch soon. In the meantime can you please downgrade to "nuxt-security": "1.2.2" in package.json ?

[vejja]

@Baroshem Related to Issue #415

[Dino-Kupinic]

1.3.0 is a regression for me aswell. I use 1.2.2 while this is not fixed.

[Baroshem]

Released patch 1.3.1 with a fix for that from @vejja.

Please check if it works now :)

[vejja]

I can confirm this scenario by @denisenepraunig now works correctly with patch 1.3.1

[Dino-Kupinic]

works!

[cesxhin]

I'm used version nuxt-security: v1.3.2 but it happens when I want to specify contentSecurityPolicy inside. Maybe regression?

security: {
        headers:{
            contentSecurityPolicy: {
                'upgrade-insecure-requests': false,
            },
        }
    }

[vejja]

Hi @cesxhin This looks like maybe a different issue. Is this your full security config, or do you have other settings as well ? Also can you let me know your Nuxt version ?

[Baroshem]

@cesxhin I think this is a different issue. Could you please open a new idsue with all the details and preferably a reproduction repository?