search

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
737 stars 56 forks source link

`defineRouteRules` CSP headers not taken into account #455

Closed DamianGlowala closed 3 weeks ago

DamianGlowala commented 1 month ago

Version

nuxt-security: 2.0.0-beta.5 nuxt: 3.11.2

Reproduction Link

Steps to reproduce

What is Expected?

The following config isn't taken into account when placed in one of the pages:

defineRouteRules({
    security: {
        headers: {
            contentSecurityPolicy: {
                'connect-src': [
                    'https://*.googleapis.com',
                    '*.google.com',
                    'https://*.gstatic.com'
                ],
                'frame-src': [
                    '*.google.com'
                ],
                'font-src': [
                    'https://fonts.gstatic.com'
                ],
                'style-src': [
                    'https://fonts.googleapis.com'
                ],
                'img-src': [
                    'https://*.googleapis.com',
                    'https://*.gstatic.com',
                    '*.google.com'
                ]
            }
        }
    }
})

What is actually happening?

Clearly only the default values declared in nuxt.config file are displayed:

image

(I do have experimental.inlineRouteRules enabled.)

vejja commented 1 month ago

Hi @DamianGlowala The inline definitions of defineRouteRules work correctly on my side. Are you navigating on the client-side or are you hard-reloading the page from the server ? Cf https://nuxt-security.vercel.app/documentation/advanced/strict-csp#per-route-csp

DamianGlowala commented 1 month ago

Hi @vejja,

Thank you for checking them on your side! I think I'll need to provide a minimal reproduction; I hope I'll manage to make one.

Headers are absent in both cases - after a client-side navigation and when entering the page after a reload.

The link you sent explains quite a lot though and it turns out inline CSP headers aren't a good choice for my project.

vejja commented 1 month ago

Edit: Is your page pre-rendered ? This might actually be a corner case

DamianGlowala commented 1 month ago

Nope, it's an SSR app with no prerendered pages.

vejja commented 1 month ago

OK, let me know if you can provide a repro. There might be something to fix.

DamianGlowala commented 3 weeks ago

(I'll reopen if I manage to provide a reproduction.)