search

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
808 stars 56 forks source link

CSP not working for specific routes? (Google Maps) #430

Closed MickL closed 5 months ago

MickL commented 5 months ago

Maybe I get it wrong but setting CSP for specific routes doesnt seem to work:

routeRules: {
   '/contact': {
      security: {
        headers: {
          contentSecurityPolicy: {
            'img-src': [
              'https://maps.googleapis.com',
              'https://maps.gstatic.com',
            ], // For Google Maps
          },
        },
      },
    },
}

If I set it globally it works:

security: {
    headers: {
      contentSecurityPolicy: {
        'img-src': [
          "'self'",
          "data:",
          'https://maps.googleapis.com',
          'https://maps.gstatic.com',
        ], // For Google Maps
      },
    },
  },

If I got the docs right and the first example should work I will create a reproduction sandbox.

vejja commented 5 months ago

Hi @MickL Route rules are merged additively with array syntax. You can overwrite global settings substitutively with string syntax : 

routeRules: {
   '/contact': {
      security: {
        headers: {
          contentSecurityPolicy: {
            'img-src': 'https://maps.googleapis.com https://maps.gstatic.com'
            // For Google Maps
          },
        },
      },
    },
}

This is explained in the docs here

FYI we are aware that this is quite complex and not very intuitive. Right now we are constrained by the Nitro router, but we are planning to change this in the future (merging will always be substitutive, which will work as you expect), see PR #429

MickL commented 5 months ago

If it is merged, shouldn’t it work they way I wrote it? Or am I missing something?

vejja commented 5 months ago

Sorry I might have misunderstood What headers do you get ?