search

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
737 stars 56 forks source link

Support SWR #428

Closed MarijnFK closed 2 months ago

MarijnFK commented 2 months ago

When using a SWR option in routeRUles, the nonce-header does not match the one served from the server:

Version

nuxt-security: 1.3.2 nuxt: 3.11.x

Steps to reproduce

enable swr on all routes:

routeRules: {
    "*": {
      swr: process.env.NODE_ENV === "development" ? false : parseInt(process.env.SWR_TTL ? process.env.SWR_TTL.toString() : "60"),
    },
  },

What is Expected?

The header should use the generated nonce value image image

What is actually happening?

The header uses the new nonce, but the html served is using the nonce that was used when generating the page

vejja commented 2 months ago

You're right and I think the conclusion is that we do not support SWR.

I struggle to see how SWR is compatible with nonce. Nonce is supposed to be generated just once and be unguessable. If we re-use nonces, this breaks the RFC. So we have 2 solutions:

@Baroshem what's your opinion on this ?

Baroshem commented 2 months ago

Thanks for the investigation @vejja

I would probably go for the second option but maybe @danielroe would have a better idea? :)

vejja commented 2 months ago

Let me investigate better because I actually think we can support natively without moving to hash mode

Update: I think the new feat/unified-router-context branch will support SWR natively, will confirm later

vejja commented 2 months ago

@MarijnFK would you be able to share a minimal Stackblitz repro of a basic use case ? I'd like to check that we can indeed support SWR on a relevant setup

MarijnFK commented 2 months ago

@vejja I've made a very simple stackblitz, it's not really a use-case but it shows the problem. stackblitz

The top date shows the ssr-date. It should update every 10 seconds. The bottom date should be hydrated, but doesn't because the script is blocked from executing

Baroshem commented 2 months ago

@vejja have you maybe checked if this new solution of yours works with the stackblitz repro providede by @MarijnFK ?

vejja commented 2 months ago

@vejja have you maybe checked if this new solution of yours works with the stackblitz repro providede by @MarijnFK ?

Yes, I included an equivalent example in the playground under the /swr page there, it is testable with yarn dev and then going to localhost:3000/swr

MarijnFK commented 2 months ago

@vejja Good to hear, looking forward to the update! Thanks for the (quick!) responses