search

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
737 stars 56 forks source link

CSP violation when directive set to `false` #432

Closed cesxhin closed 2 months ago

cesxhin commented 2 months ago
image

Version

nuxt-security: v1.3.2 nuxt: v3.11.2

{
    [...]
    "@nuxt/devtools": "1.2.0",
    "@vueuse/nuxt": "10.9.0",
    "vue-router": "4.3.2",
    "vue": "3.4.24",
    "nuxt": "3.11.2",
    "nuxt-security": "^1.3.2",
    [...]
}

Reproduction

https://codesandbox.io/p/live/833607a5-4e18-4517-99f3-552549b9b9dd

With code sandbox it would seem to work well but on my PC it doesn't.

I cleaned .nuxt, node_modules and package-lock and reinstalled everything and same result.

I cannot share the entire code which is confidential. This is the nuxt-security configuration:

export default defineNuxtConfig({
[...]
 modules: [
    [...]
    'nuxt-security'
    [...]
],
 security: {
        headers:{
            crossOriginEmbedderPolicy: process.env.NODE_ENV === 'development' ? 'unsafe-none' : 'require-corp',
            permissionsPolicy: {
              fullscreen: 'self'
            },
            contentSecurityPolicy: {
                'upgrade-insecure-requests': !(process.env.NODE_ENV === 'development'),
                'img-src': false
            },
        }
    }
[...]
})

Steps to reproduce

Set any value inside contentSecurityPolicy.

What is Expected?

Not show errors of script-src and hash validation.

What is actually happening?

Show errors of script-src and hash validation.

vejja commented 2 months ago

@cesxhin bug confirmed, can reproduce

Regression introduced by #408 in function setNonceInCsp Blaming https://github.com/Baroshem/nuxt-security/pull/408/commits/3248ea1933072939a043be345fe9f5740af2fa8b#diff-26212f23d270802b4b1588992c6125c83a6c59a138cc290b0017f01151716a1aR54

Will fix Thanks for the report

vejja commented 2 months ago

@Baroshem PR #429 fixes, would you like a temporary patch for this one first ?

Baroshem commented 2 months ago

@vejja

I think we can waint until the release of the next major with your PR.

I want to look at it this week to release preferably on thursday a new version if that is ok with you :)

vejja commented 2 months ago

Sounds good to me @cesxhin the regression is on boolean values for 'upgrade-insecure-requests' and 'img-src', which you are trying to set to false. Before we fix on Thursday, you could use { 'img-src': ["'none'"] }, and maybe live with the default for upgrade-insecure-requests ?

cesxhin commented 2 months ago

Sounds good to me @cesxhin the regression is on boolean values for 'upgrade-insecure-requests' and 'img-src', which you are trying to set to false. Before we fix on Thursday, you could use { 'img-src': ["'none'"] }, and maybe live with the default for upgrade-insecure-requests ?

Thanks for the immediate replies.

For the moment I have set the version v1.2.2 and I wait when they release. I'm in no hurry.