Closed BnitoBzh closed 2 months ago
Hi @BnitoBzh
There are many small things that you should double-check in your configuration. For instance font-src
is not nonceable, setting CSP via script-src-elem
instead of script-src
is likely to block some script-src-attr
, and setting open values to default-src
is generally not recommended. Also you are loading the GTM script both via modules
and via app.head
unless I'm mistaken. There might be good reasons for all of these but just wanted to flag these first.
Aside from these, and in order to keep issues separate, can you do the following:
contentSecurityPolicy
modules
, i.e. erase the app.head
entries
And then let me know the CSP issue list with a screeshot if possible. This will help me better understand the situation. Thanks !@vejja, thanks for the CSP config issue I will make changes and test.
For the GTM script it must be loaded by the app.head
in order to load it in the <head>
section and not at the end of the <body>
section. That is why the gtm.loadScript
option is set to false
, the nuxt-gtm
module doesn't manage the script load.
In Chrome and Firefox everything works fine (although the empty nonce
issue is still there), it doesn't just work on Safari.
Could you let me know what you mean by 'empty nonce' ?
If your scripts are inserted by the client-side this is absolutely normal because only the server-side can insert nonces. But it shouldn't prevent your scripts from loading if you use strict-dynamic
.
Please provide screenshots of the Safari complaints. Maybe the issue is due to how you manage the onload
event handler, if required. Because your GTM script is inserted twice, it's hard to understand where the issue is coming from. I would first try to disable the module entry if it doesn't manage anything.
I can see that you are using Nuxt 3.11.2 : you could use the new useScript
composable, which deals with all the hassle of loading external scripts.
Here are two examples : From the server response (with nonce) From the dev toolbar, after load :
The dev toolbar in the 'Elements' section does not display the nonce for security reasons You can only see them in the raw server response in the Networks' Response tab
Hum ok .. So do you have any idea why my CSP are ignored in Safari ?
I can try to help if you send me a screenshot of the Console and Network Headers tabs of the Safari devtools
@BnitoBzh any details from your side? :)
I have removed all nonce
configurations and I use the forced declarations instead.
@BnitoBzh I think this might actually be related to #432
I can see that you have { 'script-src': false, 'img-src': false }
and another user reported that setting boolean values to CSP directives erased the nonces from the headers.
If you don't use boolean values in contentSecurityPolicy
, would it fix the problem ?
Hi @BnitoBzh , we fixed #432 in today's release. Would you be able to upgrade to 1.4.2 to check if it solves your issue also ?
Sorry, not enough time to test it now, i will test it in the next week.
Closing the ticket as the issue was resolved. If there is a need to reopen, please let me know :)
Version
nuxt-security: 1.3.2 nuxt: 3.11.2
Reproduction Link
Nothing
Steps to reproduce
Nothing
What is Expected?
Nuxt must render the page in SSR mode with all
nonce
attributes set on each script tag.What is actually happening?
When Nuxt render the page in SSR mode, all
nonce
attributes are set. i am using the browser utlity "show the page source", this is OK ! But when the page is fully loaded and the Nuxt app is running, the developer tools shows that allnonce
attribute values are empty ... This cause multiple issue with CSP ...Here is my nuxt config file :